| Binary-Artifacts |
Is the project free of checked-in binaries? |
10/10 |
no binaries found in the repo |
| Branch-Protection |
Does the project use Branch Protection ? |
3/10 |
2 out of 4 merged PRs checked by a CI test -- score normalized to 5 |
| CI-Tests |
Does the project run tests in CI, e.g. GitHub Actions, Prow? |
5/10 |
2 out of 4 merged PRs checked by a CI test -- score normalized to 5 |
| CII-Best-Practices |
Has the project earned an OpenSSF (formerly CII) Best Practices Badge at the passing, silver, or gold level? |
0/10 |
no effort to earn an OpenSSF best practices badge detected |
| Code-Review |
Does the project practice code review before code is merged? |
0/10 |
found 28 unreviewed changesets out of 30 -- score normalized to 0 |
| Contributors |
Does the project have contributors from at least two different organizations? |
0/10 |
0 different organizations found -- score normalized to 0 |
| Dangerous-Workflow |
Does the project avoid dangerous coding patterns in GitHub Action workflows? |
10/10 |
no dangerous workflow patterns detected |
| Dependency-Update-Tool |
Does the project use tools to help update its dependencies? |
0/10 |
reason:no update tool detected |
| Fuzzing |
Does the project use fuzzing tools, e.g. OSS-Fuzz, QuickCheck or fast-check? |
0/10 |
reason:project is not fuzzed |
| License |
Does the project declare a license? |
10/10 |
reason:license file detected |
| Maintained |
Is the project at least 90 days old, and maintained? |
0/10 |
reason:0 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 0 |
| Pinned-Dependencies |
Does the project declare and pin dependencies? |
8/10 |
reason:dependency not pinned by hash detected -- score normalized to 8 |
| Packaging |
Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? |
-1/10 |
reason:no published package detected |
| SAST |
Does the project use static code analysis tools, e.g. CodeQL, LGTM (deprecated), SonarCloud? |
0/10 |
reason:SAST tool is not run on all commits -- score normalized to 0 |
| Security-Policy |
Does the project contain a security policy? |
0/10 |
reason:security policy file not detected |
| Signed-Releases |
Does the project cryptographically sign releases? |
-1/10 |
reason:no releases found |
| Token-Permissions |
Does the project declare GitHub workflow tokens as read only? |
0/10 |
reason:detected GitHub workflow tokens with excessive permissions |
| Vulnerabilities |
Does the project have unfixed vulnerabilities? Uses the OSV service. |
10/10 |
reason:no vulnerabilities detected |
As open-source security is a growing concern, i have conducted a health assessment based on the OpenSSF . Is there any improvement plan for these problems in the future?
<style> </style>