Health assessment help #135
Description
As open-source security is a growing concern, i have conducted a health assessment based on the OpenSSF . Is there any improvement plan for these problems in the future?
<style> </style>| Name | Description | Score | Reason |
|---|---|---|---|
| Binary-Artifacts | Is the project free of checked-in binaries? | 10/10 | no binaries found in the repo |
| Branch-Protection | Does the project use Branch Protection ? | 3/10 | 2 out of 4 merged PRs checked by a CI test -- score normalized to 5 |
| CI-Tests | Does the project run tests in CI, e.g. GitHub Actions, Prow? | 5/10 | 2 out of 4 merged PRs checked by a CI test -- score normalized to 5 |
| CII-Best-Practices | Has the project earned an OpenSSF (formerly CII) Best Practices Badge at the passing, silver, or gold level? | 0/10 | no effort to earn an OpenSSF best practices badge detected |
| Code-Review | Does the project practice code review before code is merged? | 0/10 | found 28 unreviewed changesets out of 30 -- score normalized to 0 |
| Contributors | Does the project have contributors from at least two different organizations? | 0/10 | 0 different organizations found -- score normalized to 0 |
| Dangerous-Workflow | Does the project avoid dangerous coding patterns in GitHub Action workflows? | 10/10 | no dangerous workflow patterns detected |
| Dependency-Update-Tool | Does the project use tools to help update its dependencies? | 0/10 | reason:no update tool detected |
| Fuzzing | Does the project use fuzzing tools, e.g. OSS-Fuzz, QuickCheck or fast-check? | 0/10 | reason:project is not fuzzed |
| License | Does the project declare a license? | 10/10 | reason:license file detected |
| Maintained | Is the project at least 90 days old, and maintained? | 0/10 | reason:0 commit(s) out of 30 and 0 issue activity out of 30 found in the last 90 days -- score normalized to 0 |
| Pinned-Dependencies | Does the project declare and pin dependencies? | 8/10 | reason:dependency not pinned by hash detected -- score normalized to 8 |
| Packaging | Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? | -1/10 | reason:no published package detected |
| SAST | Does the project use static code analysis tools, e.g. CodeQL, LGTM (deprecated), SonarCloud? | 0/10 | reason:SAST tool is not run on all commits -- score normalized to 0 |
| Security-Policy | Does the project contain a security policy? | 0/10 | reason:security policy file not detected |
| Signed-Releases | Does the project cryptographically sign releases? | -1/10 | reason:no releases found |
| Token-Permissions | Does the project declare GitHub workflow tokens as read only? | 0/10 | reason:detected GitHub workflow tokens with excessive permissions |
| Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the OSV service. | 10/10 | reason:no vulnerabilities detected |