Reason

30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10

Reason

no dangerous workflow patterns detected

Reason

license file detected

Details

• Info: project has a license file: LICENSE:0
• Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0

Reason

security policy file detected

Details

• Info: security policy file detected: github.com/adobe/.github/.github/SECURITY.md:1
• Info: Found linked content: github.com/adobe/.github/.github/SECURITY.md:1
• Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/adobe/.github/.github/SECURITY.md:1
• Info: Found text in security policy: github.com/adobe/.github/.github/SECURITY.md:1

Reason

no binaries found in the repo

Reason

project is fuzzed

Details

• Info: JavaScriptPropertyBasedTesting integration found: packages/@internationalized/number/test/NumberParser.test.js:13

Reason

Found 29/30 approved changesets -- score normalized to 9

Reason

detected GitHub workflow tokens with excessive permissions

Details

• Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/lint-pr-titles.yaml:6
• Warn: no topLevel permission defined: .github/workflows/nightly.yaml:1
• Warn: no topLevel permission defined: .github/workflows/prod-docs.yaml:1
• Info: no jobLevel write permissions found

Reason

no effort to earn an OpenSSF best practices badge detected

Reason

dependency not pinned by hash detected -- score normalized to 0

Details

• Warn: third-party GitHubAction not pinned by hash: .github/workflows/nightly.yaml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/adobe/react-spectrum/nightly.yaml/main?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/prod-docs.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/adobe/react-spectrum/prod-docs.yaml/main?enable=pin
• Info: 0 out of 2 third-party GitHubAction dependencies pinned

Reason

SAST tool is not run on all commits -- score normalized to 0

Details

• Warn: 0 commits out of 29 are checked with a SAST tool

Reason

114 existing vulnerabilities detected

Details

• Warn: Project is vulnerable to: GHSA-7r3h-m5j6-3q42
• Warn: Project is vulnerable to: GHSA-hpx4-r86g-5jrg
• Warn: Project is vulnerable to: GHSA-prr3-c3m5-p7q2
• Warn: Project is vulnerable to: GHSA-7q7g-4xm8-89cq
• Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
• Warn: Project is vulnerable to: GHSA-4w2v-q235-vp99
• Warn: Project is vulnerable to: GHSA-cph5-m8f7-6c5x
• Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
• Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
• Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
• Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
• Warn: Project is vulnerable to: GHSA-cwfw-4gq5-mrqx
• Warn: Project is vulnerable to: GHSA-g95f-p29q-9xw4
• Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
• Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
• Warn: Project is vulnerable to: GHSA-897m-rjf5-jp39
• Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
• Warn: Project is vulnerable to: GHSA-9vvw-cc9w-f27h
• Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c
• Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
• Warn: Project is vulnerable to: GHSA-p3vf-v8qc-cwcr
• Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf
• Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674
• Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
• Warn: Project is vulnerable to: GHSA-j4f2-536g-r55m
• Warn: Project is vulnerable to: GHSA-r7qp-cfhv-p84w
• Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
• Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
• Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
• Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q
• Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c
• Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc
• Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
• Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
• Warn: Project is vulnerable to: GHSA-vfrc-7r7c-w9mx
• Warn: Project is vulnerable to: GHSA-7wwv-vh3v-89cq
• Warn: Project is vulnerable to: GHSA-43f8-2h32-f4cj
• Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
• Warn: Project is vulnerable to: GHSA-6x33-pw7p-hmpq
• Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
• Warn: Project is vulnerable to: GHSA-pc5p-h8pf-mvwp
• Warn: Project is vulnerable to: GHSA-qqgx-2p2h-9c37
• Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
• Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
• Warn: Project is vulnerable to: GHSA-xxvw-45rp-3mj2
• Warn: Project is vulnerable to: GHSA-2pr6-76vf-7546
• Warn: Project is vulnerable to: GHSA-8j8c-7jfh-h6hx
• Warn: Project is vulnerable to: GHSA-896r-f27r-55mw
• Warn: Project is vulnerable to: GHSA-8cf7-32gw-wr33
• Warn: Project is vulnerable to: GHSA-hjrf-2m68-5959
• Warn: Project is vulnerable to: GHSA-qwph-4952-7xr6
• Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
• Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
• Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
• Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
• Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
• Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
• Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
• Warn: Project is vulnerable to: GHSA-wx77-rp39-c6vg
• Warn: Project is vulnerable to: GHSA-4wx3-54gh-9fr9
• Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
• Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
• Warn: Project is vulnerable to: GHSA-hxm2-r34f-qmc5
• Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
• Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m / GHSA-xvch-5gv4-984h
• Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
• Warn: Project is vulnerable to: GHSA-cwx2-736x-mf6w
• Warn: Project is vulnerable to: GHSA-v39p-96qg-c8rf
• Warn: Project is vulnerable to: GHSA-8v63-cqqc-6r2c
• Warn: Project is vulnerable to: GHSA-3j8f-xvm3-ffx4
• Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653
• Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj
• Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67
• Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w
• Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2
• Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v
• Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
• Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
• Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
• Warn: Project is vulnerable to: GHSA-p493-635q-r6gr
• Warn: Project is vulnerable to: GHSA-3965-hpx2-q597
• Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
• Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6
• Warn: Project is vulnerable to: GHSA-x6fg-f45m-jf5q
• Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
• Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
• Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
• Warn: Project is vulnerable to: GHSA-hpqj-7cj6-hfj8
• Warn: Project is vulnerable to: GHSA-4vrv-93c7-m92j
• Warn: Project is vulnerable to: GHSA-4x6g-3cmx-w76r
• Warn: Project is vulnerable to: GHSA-fxwf-4rqh-v8g3
• Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
• Warn: Project is vulnerable to: GHSA-xfhh-g9f5-x4m4
• Warn: Project is vulnerable to: GHSA-qm95-pgcg-qqfq
• Warn: Project is vulnerable to: GHSA-cqmj-92xf-r6r9
• Warn: Project is vulnerable to: GHSA-vx3p-948g-6vhq
• Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36
• Warn: Project is vulnerable to: GHSA-29xr-v42j-r956
• Warn: Project is vulnerable to: GHSA-f523-2f5j-gfcg
• Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3
• Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
• Warn: Project is vulnerable to: GHSA-38fc-wpqx-33j7
• Warn: Project is vulnerable to: GHSA-662x-fhqg-9p8v
• Warn: Project is vulnerable to: GHSA-394c-5j6w-4xmx
• Warn: Project is vulnerable to: GHSA-78cj-fxph-m83p
• Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
• Warn: Project is vulnerable to: GHSA-34r7-q49f-h37c
• Warn: Project is vulnerable to: GHSA-c9f4-xj24-8jqx
• Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
• Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc
• Warn: Project is vulnerable to: GHSA-72mh-269x-7mh5
• Warn: Project is vulnerable to: GHSA-h4j5-c7cj-74xg
• Warn: Project is vulnerable to: GHSA-c4w7-xm78-47vh
• Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp