Adopt Secure Software Development Best Practices of OpenSSF Scorecard

[gkunz]

Is your feature request related to a problem? Please describe. This feature request proposes to evaluate and (selectively) adopt secure software development best practices recommended by the Open Source Security Foundation (OpenSSF) [1]. The OpenSSF Scorecard project checks various development best practices of open source projects hosted on GitHub and provides guidance on how to improve those practices [2]. The overall goal of this issue is to strengthen the (supply chain) security posture of the CodeChecker project.

Describe the solution you'd like The proposed solution is:

• running Scorecards against the CodeChecker repo,
• evaluation of the scan results of Scorecards in terms of applicability,
  • adoption and/or implementation of the recommendation considered feasible and valuable.

[1] https://openssf.org/ [2] https://github.com/ossf/scorecard/tree/main#scorecard-checks

[gkunz]

Below are the scan results showing the current state of the repository.

Low hanging fruits seem to be

• addition of a SECURITY.MD file,
• configuration of GITHUB_TOKEN permissions,
• branch protection settings

Results:

{
  "date": "2024-10-09T21:46:11+02:00",
  "repo": {
    "name": "github.com/erlang/otp",
    "commit": "3b6ef27a06f07e5c24c52955618296a0f0ffab9d"
  },
  "scorecard": {
    "version": "5.0.0",
    "commit": "ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"
  },
  "score": 3.3,
  "checks": [
    {
      "details": [
        "Warn: binary detected: erts/etc/win32/nsis/custom_modern.exe:1",
        "Warn: binary detected: lib/kernel/test/os_SUITE_data/win32/abin/hello.exe:1",
        "Warn: binary detected: lib/stdlib/test/zip_SUITE_data/test.jar:1"
      ],
      "score": 7,
      "reason": "binaries present in source code",
      "name": "Binary-Artifacts",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts",
        "short": "Determines if the project has generated executable (binary) artifacts in the source repository."
      }
    },
    {
      "details": [
        "Info: 'allow deletion' disabled on branch 'master'",
        "Info: 'force pushes' disabled on branch 'master'",
        "Warn: branch 'master' does not require approvers",
        "Warn: codeowners review is not required on branch 'master'",
        "Warn: no status checks found to merge onto branch 'master'"
      ],
      "score": 3,
      "reason": "branch protection is not maximal on development and all release branches",
      "name": "Branch-Protection",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection",
        "short": "Determines if the default and release branches are protected with GitHub's branch protection settings."
      }
    },
    {
      "details": null,
      "score": 8,
      "reason": "4 out of 5 merged PRs checked by a CI test -- score normalized to 8",
      "name": "CI-Tests",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests",
        "short": "Determines if the project runs tests before pull requests are merged."
      }
    },
    {
      "details": null,
      "score": 0,
      "reason": "no effort to earn an OpenSSF best practices badge detected",
      "name": "CII-Best-Practices",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices",
        "short": "Determines if the project has an OpenSSF (formerly CII) Best Practices Badge."
      }
    },
    {
      "details": null,
      "score": 1,
      "reason": "Found 4/30 approved changesets -- score normalized to 1",
      "name": "Code-Review",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review",
        "short": "Determines if the project requires human code review before pull requests (aka merge requests) are merged."
      }
    },
    {
      "details": [
        "Info: esl contributor org/company found, softlab-ntua contributor org/company found, parapluu contributor org/company found, whatwg contributor org/company found, ericsson ab contributor org/company found, erlang solutions contributor org/company found, ericsson contributor org/company found, PistonDevelopers contributor org/company found, SICS contributor org/company found, klarna contributor org/company found, release-project contributor org/company found, protocol-fuzzing contributor org/company found, html5lib contributor org/company found, erlang/otp ericsson ab. contributor org/company found, erlang contributor org/company found, ntua greece + uppsala university sweden contributor org/company found, "
      ],
      "score": 10,
      "reason": "project has 16 contributing companies or organizations",
      "name": "Contributors",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors",
        "short": "Determines if the project has a set of contributors from multiple organizations (e.g., companies)."
      }
    },
    {
      "details": [
        "Warn: script injection with untrusted input ' github.event.pull_request.head.ref ': .github/workflows/main.yaml:411"
      ],
      "score": 0,
      "reason": "dangerous workflow patterns detected",
      "name": "Dangerous-Workflow",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow",
        "short": "Determines if the project's GitHub Action workflows avoid dangerous patterns."
      }
    },
    {
      "details": [
        "Warn: no dependency update tool configurations found"
      ],
      "score": 0,
      "reason": "no update tool detected",
      "name": "Dependency-Update-Tool",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool",
        "short": "Determines if the project uses a dependency update tool."
      }
    },
    {
      "details": [
        "Warn: no fuzzer integrations found"
      ],
      "score": 0,
      "reason": "project is not fuzzed",
      "name": "Fuzzing",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing",
        "short": "Determines if the project uses fuzzing."
      }
    },
    {
      "details": [
        "Info: project has a license file: LICENSE.txt:0",
        "Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0"
      ],
      "score": 10,
      "reason": "license file detected",
      "name": "License",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license",
        "short": "Determines if the project has defined a license."
      }
    },
    {
      "details": null,
      "score": 10,
      "reason": "30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10",
      "name": "Maintained",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained",
        "short": "Determines if the project is \"actively maintained\"."
      }
    },
    {
      "details": [
        "Info: Project packages its releases by way of GitHub Actions.: .github/workflows/update-base.yaml:13"
      ],
      "score": 10,
      "reason": "packaging workflow detected",
      "name": "Packaging",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging",
        "short": "Determines if the project is published as a package that others can easily download, install, easily update, and uninstall."
      }
    },
    {
      "details": [
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/inets/examples/httpd_load_test/hdlt.sh.skel:0",
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/megaco/examples/meas/meas.sh.skel.src:0",
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/megaco/examples/meas/mstone1.sh.skel.src:0",
        "Info: Possibly incomplete results: error parsing shell code: > must be followed by a word: lib/megaco/examples/meas/mstone2.sh.skel.src:0",
        "Info: Possibly incomplete results: error parsing shell code: reached $ without matching (( with )): scripts/build-otp-tar:0",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions-updater.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/actions-updater.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/actions-updater.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/actions-updater.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/actions-updater.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/actions-updater.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:232: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:234: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:253: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:365: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:456: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:528: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:533: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:563: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:570: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:142: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:169: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:184: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:219: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:404: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:433: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:438: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:479: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:516: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:597: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:601: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:605: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:609: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:628: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:647: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yaml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:283: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:325: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:353: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yaml:393: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/main.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-comment.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/pr-comment.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-github-prs.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/sync-github-prs.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-github-prs.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/sync-github-prs.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sync-github-releases.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/sync-github-releases.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-base.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/update-base.yaml/master?enable=pin",
        "Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-base.yaml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/update-base.yaml/master?enable=pin",
        "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/upload-windows-zip.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/erlang/otp/upload-windows-zip.yaml/master?enable=pin",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.32-bit:2",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.64-bit:2",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.clang:2",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.cross-compile:5",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.cross-compile:55",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.debian-base:5",
        "Warn: containerImage not pinned by hash: .github/dockerfiles/Dockerfile.ubuntu-base:5",
        "Info:   0 out of  46 GitHub-owned GitHubAction dependencies pinned",
        "Info:   0 out of   8 third-party GitHubAction dependencies pinned",
        "Info:   0 out of   7 containerImage dependencies pinned"
      ],
      "score": 0,
      "reason": "dependency not pinned by hash detected -- score normalized to 0",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned the dependencies of its build process."
      }
    },
    {
      "details": [
        "Warn: 0 commits out of 5 are checked with a SAST tool"
      ],
      "score": 0,
      "reason": "SAST tool is not run on all commits -- score normalized to 0",
      "name": "SAST",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast",
        "short": "Determines if the project uses static code analysis."
      }
    },
    {
      "details": [
        "Warn: no security policy file detected",
        "Warn: no security file to analyze",
        "Warn: no security file to analyze",
        "Warn: no security file to analyze"
      ],
      "score": 0,
      "reason": "security policy file not detected",
      "name": "Security-Policy",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy",
        "short": "Determines if the project has published a security policy."
      }
    },
    {
      "details": [
        "Warn: release artifact OTP-26.2.5.4 not signed: https://api.github.com/repos/erlang/otp/releases/179073754",
        "Warn: release artifact OTP-27.1.1 not signed: https://api.github.com/repos/erlang/otp/releases/177594111",
        "Warn: release artifact OTP-25.3.2.14 not signed: https://api.github.com/repos/erlang/otp/releases/175810316",
        "Warn: release artifact OTP-27.1 not signed: https://api.github.com/repos/erlang/otp/releases/175607410",
        "Warn: release artifact OTP-26.2.5.3 not signed: https://api.github.com/repos/erlang/otp/releases/173577083",
        "Warn: release artifact OTP-26.2.5.4 does not have provenance: https://api.github.com/repos/erlang/otp/releases/179073754",
        "Warn: release artifact OTP-27.1.1 does not have provenance: https://api.github.com/repos/erlang/otp/releases/177594111",
        "Warn: release artifact OTP-25.3.2.14 does not have provenance: https://api.github.com/repos/erlang/otp/releases/175810316",
        "Warn: release artifact OTP-27.1 does not have provenance: https://api.github.com/repos/erlang/otp/releases/175607410",
        "Warn: release artifact OTP-26.2.5.3 does not have provenance: https://api.github.com/repos/erlang/otp/releases/173577083"
      ],
      "score": 0,
      "reason": "Project has not signed or included provenance with any releases.",
      "name": "Signed-Releases",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases",
        "short": "Determines if the project cryptographically signs release artifacts."
      }
    },
    {
      "details": [
        "Warn: jobLevel 'contents' permission set to 'write': .github/workflows/main.yaml:584",
        "Info: jobLevel 'issues' permission set to 'read': .github/workflows/pr-comment.yaml:20",
        "Warn: jobLevel 'checks' permission set to 'write': .github/workflows/pr-comment.yaml:59",
        "Info: jobLevel 'contents' permission set to 'read': .github/workflows/update-base.yaml:19",
        "Warn: no topLevel permission defined: .github/workflows/actions-updater.yaml:1",
        "Warn: no topLevel permission defined: .github/workflows/main.yaml:1",
        "Warn: no topLevel permission defined: .github/workflows/pr-comment.yaml:1",
        "Warn: no topLevel permission defined: .github/workflows/sync-github-prs.yaml:1",
        "Warn: topLevel 'contents' permission set to 'write': .github/workflows/sync-github-releases.yaml:12",
        "Warn: topLevel 'actions' permission set to 'write': .github/workflows/sync-github-releases.yaml:13",
        "Warn: no topLevel permission defined: .github/workflows/update-base.yaml:1",
        "Warn: topLevel 'contents' permission set to 'write': .github/workflows/upload-windows-zip.yaml:13"
      ],
      "score": 0,
      "reason": "detected GitHub workflow tokens with excessive permissions",
      "name": "Token-Permissions",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions",
        "short": "Determines if the project's workflows follow the principle of least privilege."
      }
    },
    {
      "details": [
        "Warn: Project is vulnerable to: GHSA-9pf7-f47q-mwpq"
      ],
      "score": 9,
      "reason": "1 existing vulnerabilities detected",
      "name": "Vulnerabilities",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities",
        "short": "Determines if the project has open, known unfixed vulnerabilities."
      }
    }
  ],
  "metadata": null
}

[okeuday]

The opaque ex_doc escript binary executable external to this repository that is downloaded and executed when building the documentation in Erlang/OTP >= 27.0 (as described at https://github.com/erlang/otp/issues/8295 ) is something the OpenSSF scan may never catch, but it would be good to mention as a newer security problem that was added recently to the repository.