{"date":"2026-06-20T02:18:02Z","repo":{"name":"github.com/goreleaser/goreleaser-azure-devops-extension","commit":"3bf3ab7eee48e15db7cf1864d68e9ca9b59da8a1"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":4.2,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":8,"reason":"8 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/9 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:27","Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:40","Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:99","Info:   9 out of   9 GitHub-owned GitHubAction dependencies pinned","Info:  16 out of  16 third-party GitHubAction dependencies pinned","Info:   0 out of   3 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/ossf-scorecard-action.yaml:22","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ossf-scorecard-action.yaml:23","Warn: no topLevel permission defined: .github/workflows/ci.yaml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/lock.yaml:8","Info: topLevel permissions set to 'read-all': .github/workflows/ossf-scorecard-action.yaml:12","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"53 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-35jp-ww65-95wh","Warn: Project is vulnerable to: GHSA-3g43-6gmg-66jw","Warn: Project is vulnerable to: GHSA-3p68-rc4w-qgx5","Warn: Project is vulnerable to: GHSA-3w6x-2g7m-8v23","Warn: Project is vulnerable to: GHSA-445q-vr5w-6q77","Warn: Project is vulnerable to: GHSA-5c9x-8gcm-mpgx","Warn: Project is vulnerable to: GHSA-62hf-57xw-28j9","Warn: Project is vulnerable to: GHSA-6chq-wfr3-2hj9","Warn: Project is vulnerable to: GHSA-777c-7fjr-54vf","Warn: Project is vulnerable to: GHSA-898c-q2cr-xwhg","Warn: Project is vulnerable to: GHSA-fvcv-3m26-pcqx","Warn: Project is vulnerable to: GHSA-hfxv-24rg-xrqf","Warn: Project is vulnerable to: GHSA-j5f8-grm9-p9fc","Warn: Project is vulnerable to: GHSA-m7pr-hjqh-92cm","Warn: Project is vulnerable to: GHSA-p92q-9vqr-4j8v","Warn: Project is vulnerable to: GHSA-pf86-5x62-jrwf","Warn: Project is vulnerable to: GHSA-pjwm-pj3p-43mv","Warn: Project is vulnerable to: GHSA-pmwg-cvhr-8vh7","Warn: Project is vulnerable to: GHSA-q8qp-cvcw-x6jj","Warn: Project is vulnerable to: GHSA-vf2m-468p-8v99","Warn: Project is vulnerable to: GHSA-w9j2-pvgh-6h63","Warn: Project is vulnerable to: GHSA-xhjh-pmcv-23jw","Warn: Project is vulnerable to: GHSA-xx6v-rp6x-q39c","Warn: Project is vulnerable to: GHSA-f886-m6hf-6m8v","Warn: Project is vulnerable to: GHSA-r4q5-vmmm-2653","Warn: Project is vulnerable to: GHSA-hmw2-7cc7-3qxx","Warn: Project is vulnerable to: GHSA-3v7f-55p6-f55p","Warn: Project is vulnerable to: GHSA-c2c7-rcm5-vvqj","Warn: Project is vulnerable to: GHSA-6rw7-vpxm-498p","Warn: Project is vulnerable to: GHSA-q8mj-m7cp-5q26","Warn: Project is vulnerable to: GHSA-w7fw-mjwx-w883","Warn: Project is vulnerable to: GHSA-qpx9-hpmf-5gmw","Warn: Project is vulnerable to: GHSA-w5hq-g745-h8pq","Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-2g4f-4pwh-qvx6","Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-73rr-hh4g-fpgx","Warn: Project is vulnerable to: GHSA-25h7-pfq9-p65f","Warn: Project is vulnerable to: GHSA-rf6f-7fwh-wjgh","Warn: Project is vulnerable to: GHSA-h67p-54hq-rp68","Warn: Project is vulnerable to: GHSA-mh29-5h37-fv8m","Warn: Project is vulnerable to: GHSA-f23m-r3pf-42rh","Warn: Project is vulnerable to: GHSA-r5fr-rjxr-66jc","Warn: Project is vulnerable to: GHSA-xxjr-mmjv-4gpg","Warn: Project is vulnerable to: GHSA-23c5-xmqv-rm74","Warn: Project is vulnerable to: GHSA-3ppc-4f35-3m26","Warn: Project is vulnerable to: GHSA-7r86-cg39-jmmj","Warn: Project is vulnerable to: GHSA-5c6j-r48x-rmvq","Warn: Project is vulnerable to: GHSA-qj8w-gfj5-8c6v","Warn: Project is vulnerable to: GHSA-ph9p-34f9-6g65","Warn: Project is vulnerable to: GHSA-9965-vmph-33xx","Warn: Project is vulnerable to: GHSA-vghf-hv5q-vc2g"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.1.50 not signed: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/302899219","Warn: release artifact 0.1.49 not signed: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/230123115","Warn: release artifact v0.1.48 not signed: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/229649052","Warn: release artifact v0.1.47 not signed: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/199319021","Warn: release artifact v0.1.46 not signed: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/175241583","Warn: release artifact v0.1.50 does not have provenance: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/302899219","Warn: release artifact 0.1.49 does not have provenance: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/230123115","Warn: release artifact v0.1.48 does not have provenance: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/229649052","Warn: release artifact v0.1.47 does not have provenance: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/199319021","Warn: release artifact v0.1.46 does not have provenance: https://api.github.com/repos/goreleaser/goreleaser-azure-devops-extension/releases/175241583"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 26 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Contributors","score":10,"reason":"project has 9 contributing companies or organizations","details":["Info: found contributions from: NixOS, caarlos0-graveyard, catppuccin, dracula, github, goreleaser, my-backstage-demo, prometheus-community, pulumi"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"CI-Tests","score":9,"reason":"24 out of 26 merged PRs checked by a CI test -- score normalized to 9","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]}