search

Citi / scaler

Efficient, lightweight and reliable distributed computation engine
Apache License 2.0
12 stars 4 forks source link

OSSF Scorecard #12

Closed JamieSlome closed 2 months ago

JamieSlome commented 2 months ago

Introduces the OSSF Scorecard 🎉

github-actions[bot] commented 2 months ago

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 692973e3d937129bcbf40652eb9f2f61becf3332 :green_circle: 6.8
Details
CheckScoreReason
Code-Review:green_circle: 10all changesets reviewed
Maintained:green_circle: 45 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4
CII-Best-Practices:warning: 0no effort to earn an OpenSSF best practices badge detected
License:green_circle: 10license file detected
Signed-Releases:warning: -1no releases found
Branch-Protection:warning: -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Binary-Artifacts:green_circle: 10no binaries found in the repo
Dangerous-Workflow:green_circle: 10no dangerous workflow patterns detected
Token-Permissions:warning: 0detected GitHub workflow tokens with excessive permissions
Fuzzing:warning: 0project is not fuzzed
Security-Policy:green_circle: 9security policy file detected
Pinned-Dependencies:green_circle: 4dependency not pinned by hash detected -- score normalized to 4
Packaging:green_circle: 10packaging workflow detected
SAST:green_circle: 10SAST tool is run on all commits
Vulnerabilities:green_circle: 82 existing vulnerabilities detected
actions/ossf/scorecard-action 62b2cac7ed8198b15735ed49ab1e5cf35480ba46 :green_circle: 8.2
Details
CheckScoreReason
Binary-Artifacts:green_circle: 10no binaries found in the repo
Branch-Protection:warning: -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests:green_circle: 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices:warning: 0no effort to earn an OpenSSF best practices badge detected
Code-Review:green_circle: 10all changesets reviewed
Contributors:green_circle: 1020 different organizations found -- score normalized to 10
Dangerous-Workflow:green_circle: 10no dangerous workflow patterns detected
Dependency-Update-Tool:green_circle: 10update tool detected
Fuzzing:warning: 0project is not fuzzed
License:green_circle: 10license file detected
Maintained:green_circle: 1027 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 10
Packaging:warning: -1no published package detected
Pinned-Dependencies:green_circle: 9dependency not pinned by hash detected -- score normalized to 9
SAST:green_circle: 10SAST tool is run on all commits
Security-Policy:green_circle: 10security policy file detected
Signed-Releases:warning: -1no releases found
Token-Permissions:warning: 0detected GitHub workflow tokens with excessive permissions
Vulnerabilities:green_circle: 10no vulnerabilities detected
actions/step-security/harden-runner 5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde :green_circle: 8.7
Details
CheckScoreReason
Binary-Artifacts:green_circle: 10no binaries found in the repo
Branch-Protection:warning: -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests:green_circle: 1014 out of 14 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices:warning: 0no effort to earn an OpenSSF best practices badge detected
Code-Review:green_circle: 10all changesets reviewed
Contributors:green_circle: 6project has 2 contributing companies or organizations -- score normalized to 6
Dangerous-Workflow:green_circle: 10no dangerous workflow patterns detected
Dependency-Update-Tool:green_circle: 10update tool detected
Fuzzing:warning: 0project is not fuzzed
License:green_circle: 10license file detected
Maintained:green_circle: 1027 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Packaging:warning: -1packaging workflow not detected
Pinned-Dependencies:green_circle: 7dependency not pinned by hash detected -- score normalized to 7
SAST:green_circle: 9SAST tool detected but not run on all commits
Security-Policy:green_circle: 10security policy file detected
Signed-Releases:warning: -1no releases found
Token-Permissions:green_circle: 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities:green_circle: 91 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/scorecard.yml
  • actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
  • ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46
  • step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde