advanced-security / codeql-extractor-iac

CodeQL Extractor, Library, and Queries for Infrastructure as Code

MIT License

38 stars 5 forks source link

feat: Update dependency-review.yml #134

Closed GeekMasher closed 5 months ago

github-actions[bot] commented 5 months ago

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package

Version

Score

Details

actions/advanced-security/reusable-workflows/.github/workflows/dependency-review.yml

main

Unknown

Unknown

actions/actions/checkout

4.*.*

:green_circle: 7.2

Details

Check	Score	Reason
Code-Review	:green_circle: 10	all changesets reviewed
Maintained	:green_circle: 8	10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
License	:green_circle: 10	license file detected
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Signed-Releases	:warning: -1	no releases found
Token-Permissions	:warning: 0	detected GitHub workflow tokens with excessive permissions
Binary-Artifacts	:green_circle: 10	no binaries found in the repo
Fuzzing	:warning: 0	project is not fuzzed
Branch-Protection	:warning: -1	internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Security-Policy	:green_circle: 9	security policy file detected
Packaging	:green_circle: 10	packaging workflow detected
SAST	:green_circle: 10	SAST tool is run on all commits
Pinned-Dependencies	:green_circle: 4	dependency not pinned by hash detected -- score normalized to 4
Vulnerabilities	:green_circle: 8	2 existing vulnerabilities detected

actions/actions/dependency-review-action

4.*.*

:green_circle: 6.1

Details

Check	Score	Reason
Code-Review	:green_circle: 5	found 5 unreviewed changesets out of 10 -- score normalized to 5
Maintained	:green_circle: 10	30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices	:warning: 0	no effort to earn an OpenSSF best practices badge detected
License	:green_circle: 10	license file detected
Signed-Releases	:warning: -1	no releases found
Security-Policy	:green_circle: 9	security policy file detected
Packaging	:warning: -1	packaging workflow not detected
Binary-Artifacts	:green_circle: 10	no binaries found in the repo
Dangerous-Workflow	:green_circle: 10	no dangerous workflow patterns detected
Token-Permissions	:warning: 0	detected GitHub workflow tokens with excessive permissions
Branch-Protection	:warning: 0	branch protection not enabled on development/release branches
Fuzzing	:warning: 0	project is not fuzzed
SAST	:green_circle: 10	SAST tool is run on all commits
Pinned-Dependencies	:warning: 1	dependency not pinned by hash detected -- score normalized to 1
Vulnerabilities	:green_circle: 10	0 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/dependency-review.yml

advanced-security/reusable-workflows/.github/workflows/dependency-review.yml@main
actions/checkout@4.*.*
actions/dependency-review-action@4.*.*