Open
Description
https://github.com/ossf/scorecard/
My only issue is if there are too many false scores.
Example report on this repo as of a few days ago:
Click to expand
{
"date": "2024-11-14T01:44:10-07:00",
"repo": {
"name": "github.com/ibizaman/selfhostblocks",
"commit": "fa6cffdc629b229dbb34a5a55e9088bbf2ca1b97"
},
"scorecard": {
"version": "v5.0.0",
"commit": "ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"
},
"score": 4.3,
"checks": [
{
"details": null,
"score": 10,
"reason": "no binaries found in the repo",
"name": "Binary-Artifacts",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts",
"short": "Determines if the project has generated executable (binary) artifacts in the source repository."
}
},
{
"details": [
"Info: 'allow deletion' disabled on branch 'main'",
"Info: 'force pushes' disabled on branch 'main'",
"Warn: branch 'main' does not require approvers",
"Warn: codeowners review is not required on branch 'main'",
"Info: status check found to merge onto on branch 'main'"
],
"score": 3,
"reason": "branch protection is not maximal on development and all release branches",
"name": "Branch-Protection",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection",
"short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
}
},
{
"details": null,
"score": 10,
"reason": "24 out of 24 merged PRs checked by a CI test -- score normalized to 10",
"name": "CI-Tests",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests",
"short": "Determines if the project runs tests before pull requests are merged."
}
},
{
"details": null,
"score": 0,
"reason": "no effort to earn an OpenSSF best practices badge detected",
"name": "CII-Best-Practices",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices",
"short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
}
},
{
"details": null,
"score": 0,
"reason": "Found 0/24 approved changesets -- score normalized to 0",
"name": "Code-Review",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review",
"short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
}
},
{
"details": null,
"score": 0,
"reason": "project has 0 contributing companies or organizations -- score normalized to 0",
"name": "Contributors",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors",
"short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
}
},
{
"details": null,
"score": 10,
"reason": "no dangerous workflow patterns detected",
"name": "Dangerous-Workflow",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow",
"short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
}
},
{
"details": [
"Warn: no dependency update tool configurations found"
],
"score": 0,
"reason": "no update tool detected",
"name": "Dependency-Update-Tool",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool",
"short": "Determines if the project uses a dependency update tool."
}
},
{
"details": [
"Warn: no fuzzer integrations found"
],
"score": 0,
"reason": "project is not fuzzed",
"name": "Fuzzing",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing",
"short": "Determines if the project uses fuzzing."
}
},
{
"details": [
"Info: project has a license file: LICENSE:0",
"Info: FSF or OSI recognized license: GNU Affero General Public License v3.0: LICENSE:0"
],
"score": 10,
"reason": "license file detected",
"name": "License",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license",
"short": "Determines if the project has defined a license."
}
},
{
"details": null,
"score": 10,
"reason": "30 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10",
"name": "Maintained",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained",
"short": "Determines if the project is \"actively maintained\"."
}
},
{
"details": [
"Warn: no GitHub/GitLab publishing workflow detected."
],
"score": -1,
"reason": "packaging workflow not detected",
"name": "Packaging",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging",
"short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
}
},
{
"details": [
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/auto-merge.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/auto-merge.yaml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yaml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yaml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/build.yaml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/demo.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/demo.yml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/demo.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/demo.yml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/demo.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/demo.yml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/demo.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/demo.yml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/demo.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/demo.yml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lock-update.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/lock-update.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-update.yaml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/lock-update.yaml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-update.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/lock-update.yaml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/pages.yml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/pages.yml/main?enable=pin",
"Warn: third-party GitHubAction not pinned by hash: .github/workflows/pages.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/pages.yml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/pages.yml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/pages.yml/main?enable=pin",
"Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/ibizaman/selfhostblocks/pages.yml/main?enable=pin",
"Info: 0 out of 10 GitHub-owned GitHubAction dependencies pinned",
"Info: 0 out of 14 third-party GitHubAction dependencies pinned"
],
"score": 0,
"reason": "dependency not pinned by hash detected -- score normalized to 0",
"name": "Pinned-Dependencies",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies",
"short": "Determines if the project has declared and pinned the dependencies of its build process."
}
},
{
"details": [
"Warn: 0 commits out of 30 are checked with a SAST tool"
],
"score": 0,
"reason": "SAST tool is not run on all commits -- score normalized to 0",
"name": "SAST",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast",
"short": "Determines if the project uses static code analysis."
}
},
{
"details": [
"Warn: no security policy file detected",
"Warn: no security file to analyze",
"Warn: no security file to analyze",
"Warn: no security file to analyze"
],
"score": 0,
"reason": "security policy file not detected",
"name": "Security-Policy",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy",
"short": "Determines if the project has published a security policy."
}
},
{
"details": null,
"score": -1,
"reason": "no releases found",
"name": "Signed-Releases",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases",
"short": "Determines if the project cryptographically signs release artifacts."
}
},
{
"details": [
"Warn: no topLevel permission defined: .github/workflows/auto-merge.yaml:1",
"Warn: no topLevel permission defined: .github/workflows/build.yaml:1",
"Warn: no topLevel permission defined: .github/workflows/demo.yml:1",
"Warn: no topLevel permission defined: .github/workflows/lock-update.yaml:1",
"Info: topLevel 'contents' permission set to 'read': .github/workflows/pages.yml:11",
"Info: no jobLevel write permissions found"
],
"score": 0,
"reason": "detected GitHub workflow tokens with excessive permissions",
"name": "Token-Permissions",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions",
"short": "Determines if the project's workflows follow the principle of least privilege."
}
},
{
"details": null,
"score": 10,
"reason": "0 existing vulnerabilities detected",
"name": "Vulnerabilities",
"documentation": {
"url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities",
"short": "Determines if the project has open, known unfixed vulnerabilities."
}
}
],
"metadata": null
}