Citi / scaler

Efficient, lightweight and reliable distributed computation engine

Apache License 2.0

7 stars 3 forks source link

Create dependency-review.yml #5

Closed JamieSlome closed 1 month ago

JamieSlome commented 1 month ago

Adds the Dependency Review GitHub Action to the codebase on opening of pull requests 👍

github-actions[bot] commented 1 month ago

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

actions/actions/checkout

4.*.*

:green_circle: 7.2

Details

Check	Score	Reason
Code-Review	:green_circle: 10	all changesets reviewed
Maintained	:green_circle: 7	9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
Branch-Protection	:warning: -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
License	:green_circle: 10	license file detected
Signed-Releases	:warning: -1	no releases found
Binary-Artifacts	:green_circle: 10	no binaries found in the repo
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Token-Permissions	:warning: 0	detected GitHub workflow tokens with excessive permissions
SAST	:green_circle: 10	SAST tool is run on all commits
Pinned-Dependencies	:green_circle: 4	dependency not pinned by hash detected -- score normalized to 4
Packaging	:green_circle: 10	packaging workflow detected
Security-Policy	:green_circle: 9	security policy file detected
Fuzzing	:warning: 0	project is not fuzzed
Vulnerabilities	:green_circle: 9	1 existing vulnerabilities detected

actions/actions/dependency-review-action

4.*.*

:green_circle: 7.2

Details

Check	Score	Reason
Maintained	:green_circle: 10	30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Code-Review	:green_circle: 10	all changesets reviewed
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
Branch-Protection	:warning: -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
License	:green_circle: 10	license file detected
Signed-Releases	:warning: -1	no releases found
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Security-Policy	:green_circle: 9	security policy file detected
Packaging	:warning: -1	packaging workflow not detected
Binary-Artifacts	:green_circle: 10	no binaries found in the repo
Token-Permissions	:warning: 0	detected GitHub workflow tokens with excessive permissions
SAST	:green_circle: 9	SAST tool detected but not run on all commits
Pinned-Dependencies	:warning: 1	dependency not pinned by hash detected -- score normalized to 1
Fuzzing	:warning: 0	project is not fuzzed
Vulnerabilities	:green_circle: 10	0 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/dependency-review.yml

actions/checkout@4.*.*
actions/dependency-review-action@4.*.*