{"date":"2022-10-25","repo":{"name":"github.com/icon-project/icon-bridge","commit":"4b8669cc45b1d4d6d40a39f4fb75eace7bce409e"},"scorecard":{"version":"v4.5.0","commit":"69eb1ccf1d0cf8c5b291044479f18672bf250325"},"score":6.3,"checks":[{"name":"Binary-Artifacts","score":-1,"reason":"internal error: failure checking for Gradle wrapper validating Action: :7:7: \"description\" is missing at \"aws_s3_bucket\" secret of workflow_call event [syntax-check]","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'force pushes' disabled on branch 'main'","Info: 'allow deletion' disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Warn: number of required reviewers is only 1 on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"29 out of 29 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no badge detected","details":null,"documentation":{"short":"Determines if the project has a CII Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":9,"reason":"GitHub code reviews found for 29 commits out of the last 30 -- score normalized to 9","details":["Warn: no reviews found for commit: 56c2e7e09d834f49385719f89ad941dab7855dbb"],"documentation":{"short":"Determines if the project requires code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"7 different organizations found -- score normalized to 10","details":["Info: contributors work for HugoByte,hugobyte,hugobyte ai labs,hugobyte ai labs pvt ltd,icon-project,iconloop,web3labs"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":0,"reason":"no update tool detected","details":["Warn: dependabot config file not detected in source location.\n\t\t\tWe recommend setting this configuration in code so it can be easily verified by others.","Warn: renovatebot config file not detected in source location.\n\t\t\tWe recommend setting this configuration in code so it can be easily verified by others."],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: : LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 28 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub publishing workflow used in run https://api.github.com/repos/icon-project/icon-bridge/actions/runs/3065979752: .github/workflows/build-base-image.yaml:10"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-base-image.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build-base-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-base-image.yaml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build-base-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-base-image.yaml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build-base-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-base-image.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build-base-image.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-base-image.yaml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build-base-image.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/coverage.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/coverage.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/coverage.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/coverage.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-bmr.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:185: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:221: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:227: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-javascore-testnet.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:168: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:182: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:184: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:196: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:208: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:214: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-solidity-testnet.yml:235: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-token-javascore.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-token-javascore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-token-javascore.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-token-javascore.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-token-javascore.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-token-javascore.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e_integretion_light_tests.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/e2e_integretion_light_tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e_integretion_light_tests.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/e2e_integretion_light_tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/link-register-coin.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/link-register-coin.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/link-register-coin.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/link-register-coin.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/link-register-coin.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/link-register-coin.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/link-register-coin.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/link-register-coin.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/lint-pr.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/lint-pr.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/realese_tag_manager.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/realese_tag_manager.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/realese_tag_manager.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/realese_tag_manager.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:140: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:143: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=pin","Warn: containerImage not pinned by hash: build/base/Dockerfile:1: pin your Docker image by updating node:15.12.0-alpine to node:15.12.0-alpine@sha256:3d57223cc3ba9bb3399129f14d207b7f7a3485213ee0211c54adc757cf35dd0a","Warn: containerImage not pinned by hash: build/base/Dockerfile:3: pin your Docker image by updating alpine to alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad","Warn: containerImage not pinned by hash: build/bmr/Dockerfile:1: pin your Docker image by updating iconbridge/build to iconbridge/build@sha256:2ff31dd578afc185b6bec966f9a136a61175e0d1f94e90a0d1c0e87617444a0c","Warn: containerImage not pinned by hash: devnet/docker/bsc-node/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad","Warn: containerImage not pinned by hash: devnet/docker/goloop/Dockerfile:1: pin your Docker image by updating iconloop/goloop-icon to iconloop/goloop-icon@sha256:2bb416ca5484be5095c1e7927a441152c341adcefda8987dfa8967e888677eeb","Warn: containerImage not pinned by hash: devnet/docker/icon-bsc/Dockerfile:1: pin your Docker image by updating node:15.12.0-alpine to node:15.12.0-alpine@sha256:3d57223cc3ba9bb3399129f14d207b7f7a3485213ee0211c54adc757cf35dd0a","Warn: containerImage not pinned by hash: devnet/docker/icon-bsc/Dockerfile:2: pin your Docker image by updating alpine to alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad","Warn: containerImage not pinned by hash: devnet/docker/icon-bsc/bmr.Dockerfile:2: pin your Docker image by updating ubuntu to ubuntu@sha256:7cfe75438fc77c9d7235ae502bf229b15ca86647ac01c844b272b56326d56184","Warn: containerImage not pinned by hash: devnet/docker/icon-bsc/bmr.Dockerfile:44: pin your Docker image by updating ubuntu to ubuntu@sha256:7cfe75438fc77c9d7235ae502bf229b15ca86647ac01c844b272b56326d56184","Warn: containerImage not pinned by hash: devnet/docker/icon-hmny/src/bmr.Dockerfile:2: pin your Docker image by updating ubuntu to ubuntu@sha256:7cfe75438fc77c9d7235ae502bf229b15ca86647ac01c844b272b56326d56184","Warn: containerImage not pinned by hash: devnet/docker/icon-hmny/src/bmr.Dockerfile:44: pin your Docker image by updating ubuntu to ubuntu@sha256:7cfe75438fc77c9d7235ae502bf229b15ca86647ac01c844b272b56326d56184","Warn: containerImage not pinned by hash: devnet/docker/icon-hmny/src/hmny.Dockerfile:1: pin your Docker image by updating ubuntu to ubuntu@sha256:7cfe75438fc77c9d7235ae502bf229b15ca86647ac01c844b272b56326d56184","Warn: containerImage not pinned by hash: devnet/docker/icon-hmny/src/icon.Dockerfile:1","Warn: containerImage not pinned by hash: docker-compose/Dockerfile:4","Warn: containerImage not pinned by hash: docker-compose/Dockerfile:5","Warn: containerImage not pinned by hash: docker/iconbridge/Dockerfile:2","Warn: containerImage not pinned by hash: docker/iconbridge/Dockerfile-Debug:2","Warn: containerImage not pinned by hash: docker/javascore/Dockerfile:2","Warn: npmCommand not pinned by hash: build/base/Dockerfile:38","Warn: npmCommand not pinned by hash: build/base/Dockerfile:39","Warn: npmCommand not pinned by hash: devnet/docker/icon-bsc/Dockerfile:11","Warn: npmCommand not pinned by hash: devnet/docker/icon-bsc/Dockerfile:12","Warn: goCommand not pinned by hash: devnet/docker/icon-bsc/Dockerfile:27","Warn: goCommand not pinned by hash: devnet/docker/icon-bsc/Dockerfile:28","Warn: goCommand not pinned by hash: docker/iconbridge/Dockerfile-Debug:38","Info: no insecure (not pinned by hash) dependency downloads found in Dockerfiles","Info: no insecure (not pinned by hash) dependency downloads found in shell scripts"],"documentation":{"short":"Determines if the project has declared and pinned its dependencies.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (29) are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy detected in current repo: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"0 out of 4 artifacts are signed -- score normalized to 0","details":["Warn: release artifact v0.0.11 not signed: https://api.github.com/repos/icon-project/icon-bridge/releases/80173778","Warn: release artifact v0.0.10 not signed: https://api.github.com/repos/icon-project/icon-bridge/releases/78145068","Warn: release artifact v0.0.9-rc.3 not signed: https://api.github.com/repos/icon-project/icon-bridge/releases/75532590","Warn: release artifact v0.0.9-rc.2 not signed: https://api.github.com/repos/icon-project/icon-bridge/releases/74514114"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"non read-only tokens detected in GitHub workflows","details":["Warn: no topLevel permission defined: .github/workflows/build-base-image.yaml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build-base-image.yaml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/build.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/build.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=permissions","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/codeql-analysis.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/coverage.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/coverage.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:4: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/dependency-review.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/deploy-bmr.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-bmr.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/deploy-javascore-testnet.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-javascore-testnet.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/deploy-solidity-testnet.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-solidity-testnet.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/deploy-testnet-workflow.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-testnet-workflow.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/deploy-token-javascore.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/deploy-token-javascore.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/e2e_integretion_light_tests.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/e2e_integretion_light_tests.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/link-register-coin.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/link-register-coin.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/lint-pr.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/lint-pr.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/realese_tag_manager.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/realese_tag_manager.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/release.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/release.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/scorecards.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/scorecards.yml/main?enable=permissions","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/icon-project/icon-bridge/scorecards.yml/main?enable=permissions"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"no vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#vulnerabilities"}},{"name":"Webhooks","score":-1,"reason":"check is not supported for this request: SCORECARD_V6 is not set, not running the Webhook check","details":["Warn: SCORECARD_V6 is not set, not running the Webhook check"],"documentation":{"short":"This check validate if the webhook defined in the repository have a token configured.","url":"https://github.com/ossf/scorecard/blob/69eb1ccf1d0cf8c5b291044479f18672bf250325/docs/checks.md#webhooks"}}]}