{"date":"2026-04-30T06:41:18Z","repo":{"name":"github.com/step-security/secure-repo","commit":"3f171e13b96aae0bd441ae973be44b76ced49ab3"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":7.9,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'actions' permission set to 'write': .github/workflows/automatePR.yml:16","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/int.yml:14","Info: jobLevel 'contents' permission set to 'read': .github/workflows/kb-test.yml:14","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/kbanalysis.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:16","Info: topLevel 'contents' permission set to 'read': .github/workflows/automatePR.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/int.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/kb-test.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/kbanalysis.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:11"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"SAST","score":8,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 20 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/int.yml:12"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Vulnerabilities","score":0,"reason":"66 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42","Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-3p68-rc4w-qgx5","Warn: Project is vulnerable to: GHSA-43fc-jf86-j433","Warn: Project is vulnerable to: GHSA-fvcv-3m26-pcqx","Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6","Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GHSA-r4q5-vmmm-2653","Warn: Project is vulnerable to: GHSA-f23m-r3pf-42rh","Warn: Project is vulnerable to: GHSA-r5fr-rjxr-66jc","Warn: Project is vulnerable to: GHSA-xxjr-mmjv-4gpg","Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2026-4610 / GHSA-p436-gjf2-799p","Warn: Project is vulnerable to: GHSA-hqxw-f8mx-cpmw","Warn: Project is vulnerable to: GO-2023-1699 / GHSA-232p-vwff-86mp","Warn: Project is vulnerable to: GO-2023-1700 / GHSA-33pg-m6jh-5237","Warn: Project is vulnerable to: GO-2025-3829 / GHSA-4vq8-7jfc-9cvp","Warn: Project is vulnerable to: GO-2023-1701 / GHSA-6wrf-mxfj-pf5p","Warn: Project is vulnerable to: GHSA-jq35-85cj-fj4p","Warn: Project is vulnerable to: GHSA-mq39-4gv4-mvpx","Warn: Project is vulnerable to: GO-2026-4883 / GHSA-pxq6-2prw-chj9","Warn: Project is vulnerable to: GO-2022-0985 / GHSA-rc4r-wh2q-q6c4","Warn: Project is vulnerable to: GO-2024-3005 / GHSA-v23v-6jw2-98fq","Warn: Project is vulnerable to: GO-2022-1107 / GHSA-vp35-85q5-9f25","Warn: Project is vulnerable to: GO-2026-4887 / GHSA-x744-4wpc-v9h2","Warn: Project is vulnerable to: GO-2024-2512 / GHSA-xw73-rw38-6vjc","Warn: Project is vulnerable to: GO-2025-3553 / GHSA-mh63-6h87-95cp","Warn: Project is vulnerable to: GO-2023-2379 / GHSA-7f9x-gw85-8grf","Warn: Project is vulnerable to: GO-2024-2632 / GHSA-hj3v-m684-v259","Warn: Project is vulnerable to: GO-2024-2454 / GHSA-pvcr-v8j8-j5q3","Warn: Project is vulnerable to: GO-2023-1859 / GHSA-rm8v-mxj3-5rmq","Warn: Project is vulnerable to: GO-2026-4858 / GHSA-4c29-8rgm-jvjj","Warn: Project is vulnerable to: GO-2024-2494 / GHSA-4v98-7qmw-rqr8","Warn: Project is vulnerable to: GO-2026-4859 / GHSA-4vrq-3vrq-g6gg","Warn: Project is vulnerable to: GO-2024-2492 / GHSA-9p26-698r-w4hx","Warn: Project is vulnerable to: GHSA-gc89-7gcr-jxqc","Warn: Project is vulnerable to: GO-2024-2493 / GHSA-m3r6-h7wv-7xxv","Warn: Project is vulnerable to: GO-2024-2497 / GHSA-wr6v-9f75-vh2g","Warn: Project is vulnerable to: GO-2025-4188 / GHSA-4f99-4q7p-p3gh","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2025-4135 / GHSA-f6x5-jh6r-wrfv","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2025-4134 / GHSA-j5w8-q4qc-rx2x","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2025-4116","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2026-4440","Warn: Project is vulnerable to: GO-2026-4441","Warn: Project is vulnerable to: GO-2025-3488 / GHSA-6v2p-p543-phr9","Warn: Project is vulnerable to: GO-2024-2611 / GHSA-8r3f-844c-mc37","Warn: Project is vulnerable to: GO-2022-0603 / GHSA-hp87-p4gw-j4gq"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU Affero General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during GetBranch(int): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/kbanalysis.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/step-security/secure-repo/kbanalysis.yml/main?enable=pin","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-exempted:3: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-exempted-wildcard:5: pin your Docker image by updating amazonlinux:2023 to amazonlinux:2023@sha256:ceeab7e010ed03ea155cfbbfd7140672eba5a49e1110b8b4ed35342312c3f21a","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-exempted-wildcard:9: pin your Docker image by updating alpine:3.18 to alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-exempted-wildcard:13: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted:1: pin your Docker image by updating amazonlinux:2 to amazonlinux:2@sha256:4b3bb9ce33d248600f267f2acc965325587b3bcfaae72fe0bf9cff85fbbb17f6","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted:3","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted:5: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted:11: pin your Docker image by updating public.ecr.aws/amazonlinux/amazonlinux:2023 to public.ecr.aws/amazonlinux/amazonlinux:2023@sha256:fe4122f41784670c960b28c8a32036d8ca268bb56a002ce1e191271b6ddf3293","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2:1","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2:3","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2:5: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-imageandtag-exempted-2:11: pin your Docker image by updating public.ecr.aws/amazonlinux/amazonlinux:2023 to public.ecr.aws/amazonlinux/amazonlinux:2023@sha256:fe4122f41784670c960b28c8a32036d8ca268bb56a002ce1e191271b6ddf3293","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:1","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:22: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:24: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-multiple-images:26: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned:16: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned-as:16","Warn: containerImage not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned-as:22","Warn: containerImage not pinned by hash: testfiles/dockerfiles/output/Dockerfile-exempted:3: pin your Docker image by updating python:3.7 to python:3.7@sha256:eedf63967cdb57d8214db38ce21f105003ed4e4d0358f02bedc057341bcf92a0","Warn: containerImage not pinned by hash: testfiles/dockerfiles/output/Dockerfile-exempted-wildcard:5: pin your Docker image by updating amazonlinux:2023 to amazonlinux:2023@sha256:ceeab7e010ed03ea155cfbbfd7140672eba5a49e1110b8b4ed35342312c3f21a","Warn: containerImage not pinned by hash: testfiles/dockerfiles/output/Dockerfile-exempted-wildcard:9: pin your Docker image by updating alpine:3.18 to alpine:3.18@sha256:de0eb0b3f2a47ba1eb89389859a9bd88b28e82f5826b6969ad604979713c2d4f","Warn: containerImage not pinned by hash: testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted:1: pin your Docker image by updating amazonlinux:2 to amazonlinux:2@sha256:4b3bb9ce33d248600f267f2acc965325587b3bcfaae72fe0bf9cff85fbbb17f6","Warn: containerImage not pinned by hash: testfiles/dockerfiles/output/Dockerfile-imageandtag-exempted-2:11: pin your Docker image by updating public.ecr.aws/amazonlinux/amazonlinux:2023 to public.ecr.aws/amazonlinux/amazonlinux:2023@sha256:fe4122f41784670c960b28c8a32036d8ca268bb56a002ce1e191271b6ddf3293","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/input/Dockerfile-exempted-wildcard:15","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned:36-38","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/input/Dockerfile-not-pinned:36-38","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/output/Dockerfile-exempted-wildcard:15","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/output/Dockerfile-not-pinned:36-38","Warn: pipCommand not pinned by hash: testfiles/dockerfiles/output/Dockerfile-not-pinned:36-38","Info:  18 out of  18 GitHub-owned GitHubAction dependencies pinned","Info:  22 out of  23 third-party GitHubAction dependencies pinned","Info:  24 out of  48 containerImage dependencies pinned","Info:   0 out of   6 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"CI-Tests","score":10,"reason":"7 out of 7 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 3 contributing companies or organizations -- score normalized to 10","details":["Info: found contributions from: ait pune, step-security, stepsecurity"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]}