{"date":"2022-12-10","repo":{"name":"github.com/pandas-dev/pandas","commit":"e38daf0b6fe170772cf6518fec666e2872eb32eb"},"scorecard":{"version":"v4.8.0","commit":"c40859202d739b31fd060ac5b30d17326cd74275"},"score":6.4,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":8,"reason":"25 out of last 30 changesets reviewed before merge -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"47 different organizations found -- score normalized to 10","details":["Info: contributors work for 84.51,JuliaLang,OS-Maintainer-Feedback-Group,Quansight,Quansight-Labs,Toblerity,airspeed-velocity,altos-research,apache,asv-runner,blaze,conda-forge,dask,data-apis,datapad,denodrivers,denolib,dlr,euroscipy,geopandas,ibis-project,innobi,maintainers,mesonbuild,microsoft,numfocus,pandanistas,pandas-dev,pandas-ml,pangeo-data,paris-saclay-cds,pattern3,pydata,pygeos,python-sprints,quansight,rapidsai,resample-project,scientific-python,scikit-learn,shapely,stan-ja,statsmodels,tubitv,ursa-labs,voltrondata,washington university in st. louis"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":0,"reason":"no update tool detected","details":["Warn: dependabot config file not detected in source location.\n\t\t\tWe recommend setting this configuration in code so it can be easily verified by others.","Warn: renovatebot config file not detected in source location.\n\t\t\tWe recommend setting this configuration in code so it can be easily verified by others."],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed with [OSSFuzz]","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: : LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 21 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"no published package detected","details":["Warn: no GitHub publishing workflow detected"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/32-bit-linux.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/32-bit-linux.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/32-bit-linux.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/32-bit-linux.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/asv-bot.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/asv-bot.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/autoupdate-pre-commit-config.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/autoupdate-pre-commit-config.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/autoupdate-pre-commit-config.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:174: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:180: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/code-checks.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/code-checks.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/code-checks.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docbuild-and-upload.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/docbuild-and-upload.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docbuild-and-upload.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/docbuild-and-upload.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/macos-windows.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/macos-windows.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-checks.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/package-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/package-checks.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/package-checks.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-dev.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/python-dev.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/python-dev.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/python-dev.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecards.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecards.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sdist.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sdist.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/sdist.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale-pr.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/stale-pr.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/ubuntu.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/wheels.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/wheels.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:136: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/wheels.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/wheels.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python to python@sha256:1a91094b2729a1d78fa2bb3260b94576447b20d05346d983e9c2f4fd72c6d9b5","Warn: containerImage not pinned by hash: gitpod/Dockerfile:28: pin your Docker image by updating gitpod/workspace-base to gitpod/workspace-base@sha256:8773ee3145fc7549a6a1faf2f3d102ce677b2d5de17e8d531ff2abb7defa4c0c","Warn: containerImage not pinned by hash: gitpod/gitpod.Dockerfile:5: pin your Docker image by updating gitpod/workspace-base:latest to gitpod/workspace-base:latest@sha256:8773ee3145fc7549a6a1faf2f3d102ce677b2d5de17e8d531ff2abb7defa4c0c","Warn: containerImage not pinned by hash: gitpod/gitpod.Dockerfile:14","Warn: pipCommand not pinned by hash: Dockerfile:10","Warn: pipCommand not pinned by hash: Dockerfile:11-12","Warn: downloadThenRun not pinned by hash: gitpod/Dockerfile:73-76","Warn: pipCommand not pinned by hash: gitpod/Dockerfile:90-96","Warn: downloadThenRun not pinned by hash: .circleci/setup_env.sh:11","Warn: pipCommand not pinned by hash: .circleci/setup_env.sh:62","Warn: pipCommand not pinned by hash: .github/workflows/code-checks.yml:188","Warn: pipCommand not pinned by hash: .github/workflows/wheels.yml:158"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commmits","details":["Warn: 0 commits out of 30 are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy detected in org repo: github.com/pandas-dev/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"0 out of 5 artifacts are signed or have provenance","details":["Warn: release artifact v1.5.2 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/83828286","Warn: release artifact v1.5.2 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/83828286","Warn: release artifact v1.5.1 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/80285645","Warn: release artifact v1.5.1 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/80285645","Warn: release artifact v1.5.0 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/77555797","Warn: release artifact v1.5.0 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/77555797","Warn: release artifact v1.4.4 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/75884284","Warn: release artifact v1.4.4 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/75884284","Warn: release artifact v1.5.0rc0 does not have provenance: https://api.github.com/repos/pandas-dev/pandas/releases/75212675","Warn: release artifact v1.5.0rc0 not signed: https://api.github.com/repos/pandas-dev/pandas/releases/75212675"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"non read-only tokens detected in GitHub workflows","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/32-bit-linux.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/32-bit-linux.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/assign.yml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/assign.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/asv-bot.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/asv-bot.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/asv-bot.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/autoupdate-pre-commit-config.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=permissions","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/autoupdate-pre-commit-config.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/autoupdate-pre-commit-config.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/code-checks.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/code-checks.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=permissions","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/codeql.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/docbuild-and-upload.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/docbuild-and-upload.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/macos-windows.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/macos-windows.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/package-checks.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/package-checks.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-dev.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/python-dev.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/scorecards.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/sdist.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/sdist.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/stale-pr.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/stale-pr.yml/main?enable=permissions","Info: topLevel 'contents' permission set to 'read': .github/workflows/ubuntu.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/ubuntu.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/wheels.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/pandas-dev/pandas/wheels.yml/main?enable=permissions"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"no vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c40859202d739b31fd060ac5b30d17326cd74275/docs/checks.md#vulnerabilities"}}]}