Installations
npm install @secretlint/tester
Developer
secretlint
Developer Guide
Module System
ESM
Min. Node Version
^14.13.1 || >=16.0.0
Typescript Support
Yes
Node Version
18.20.4
NPM Version
lerna/2.7.2/node@v18.20.4+x64 (linux)
Statistics
899 Stars
1,257 Commits
40 Forks
9 Watching
6 Branches
28 Contributors
Updated on 28 Nov 2024
Languages
TypeScript (95.83%)
JavaScript (3.33%)
Shell (0.59%)
Dockerfile (0.25%)
Total Downloads
Cumulative downloads
Total Downloads
290,879
Last day
16.6%
835
Compared to previous day
Last week
2.4%
4,307
Compared to previous week
Last month
-9.4%
17,076
Compared to previous month
Last year
349.7%
219,479
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Secretlint
Secretlint is that Pluggable linting tool to prevent committing credentials.
Features
- Scanner: Found credentials in a project and report these
- Project Friendly: Easy to set up your project and integrate CI services
- Pre-Commit Hook: Prevent committing credential files
- Pluggable: Allow creating custom rule and flexible configuration
- Documentation: Describe the reason that rule detect it as secret
Quick Demo
You can view secretlint linting result on https://secretlint.github.io/.
Quick Start
You can try to use Secretlint on your project at one command.
If you already have installed Docker:
docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"
If you already have installed Node.js:
npx @secretlint/quick-start "**/*"
After running,
If you got empty result and exit status is 0
, your project is secure.
Otherwise, you got some error report, your project includes credential as raw data.
You want to get continuous security, Please see following installation guide and setup pre-commit hook and CI.
Installation
Using Docker
Prerequisites: Require Docker
Use our Docker container to get an environment with Node.js and secretlint and running as fast as you can download them.
You can check all files under the current directory with secretlint by following command:
docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"
secretlint/secretlint
docker container work without configuration by design.
This Docker Image has built-in packages:
- @secretlint/secretlint-rule-preset-recommend
- @secretlint/secretlint-rule-pattern
- @secretlint/secretlint-formatter-sarif
For more details, please see secretlint's Dockerfile.
Using Node.js
Prerequisites: Require Node.js 18+.
Secretlint is written by JavaScript. You can install Secretlint using npm:
npm install secretlint @secretlint/secretlint-rule-preset-recommend --save-dev
You should then set up a configuration file:
npx secretlint --init
Finally, you can run Secretlint on any file or directory like this:
npx secretlint "**/*"
:memo: Secretlint support glob pattern and glob pattern should be wrapped by a double quote.
It is also possible to install Secretlint globally using npm install --global
. But, We do not recommended it, some rules may be broken in globally.
Using Single-Executable Binary
Prerequisites: None
You can use secretlint
command without Node.js by using a single-executable binary.
- Download the latest binary from Releases page
- Change the file permission to executable:
chmod +x ./secretlint
- Run
./secretlint --init
to create a configuration file - Run
./secretlint "**/*"
to lint your project
For more details, please see publish/binary-compiler README.
Usage
secretlint --help
show Usage.
Secretlint CLI that scan secret/credential data.
Usage
$ secretlint [file|glob*]
Note
supported glob syntax is based on microglob
https://github.com/micromatch/micromatch#matching-features
Options
--init setup config file. Create .secretlintrc.json file from your package.json
--format [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, json, junit, pretty-error, stylish, table, tap, unix, mask-result
--output [path:String] output file path that is written of reported result.
--no-color disable ANSI-color of output.
--no-terminalLink disable terminalLink of output.
--maskSecrets enable masking of secret values. replace actual secrets with "***".
--secretlintrc [path:String] path to .secretlintrc config file. Default: .secretlintrc.*
--secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore
Options for Developer
--profile Enable performance profile.
--secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.
Experimental Options
--locale [String] locale tag for translating message. Default: en
Examples
$ secretlint ./README.md
# glob pattern should be wrapped with double quote
$ secretlint "**/*"
$ secretlint "source/**/*.ini"
# found secrets and mask the secrets
$ secretlint .zsh_history --format=mask-result --output=.zsh_history
Exit Status
Secretlint exits with the following values:
- 0:
- Linting succeeded, no errors found.
- Found lint error but --output is specified.
- 1:
- Linting failed, errors found.
- 2:
- Unexpected error occurred, fatal error.
Configuration
Secretlint has a configuration file .secretlintrc.{json,yml,js}
.
- Document: Configuring Secretlint
After running secretlint --init
, you'll have a .secretlintrc.json
file in your directory.
In it, you'll see some rules configured like this:
1{ 2 "rules": [ 3 { 4 "id": "@secretlint/secretlint-rule-preset-recommend" 5 } 6 ] 7}
The id
property is the name of secretlint rule package.
Secretlint does not have built-in rule.
You want to add some rule and You should install the package and add the rule to .secretlintrc
file.
Each rule has same configuration pattern:
options
: Option definition for the rule. For more details, see each rule documentationdisabled
: Ifdisabled
istrue
, disable the ruleallowMessageIds
:allowMessageIds
is an array of message id that you want to suppress error report- message id is defined in each rule and please see the rule documentation
Example: options
For example, @secretlint/secretlint-rule-example
has allows
in options
.
This allows
option define a list of RegExp-like String that you want to ignore.
1{ 2 "rules": [ 3 { 4 "id": "@secretlint/secretlint-rule-example", 5 "options": { 6 "allows": [ 7 "/dummy_secret/i" 8 ] 9 } 10 } 11 ] 12}
When you use a preset like @secretlint/secretlint-rule-preset-recommend
, you need to put the option in rules
.
For example, an option for @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-aws
1{ 2 "rules": [ 3 { 4 "id": "@secretlint/secretlint-rule-preset-recommend", 5 "rules": [ 6 { 7 "id": "@secretlint/secretlint-rule-aws", 8 "options": { 9 "allows": [ 10 // it will be ignored 11 "xxxx-xxxx-xxxx-xxxx-xxxx" 12 ] 13 } 14 } 15 ] 16 } 17 ] 18}
Example: allowMessageIds
For example, you have got following error report by run secretlint
:
$ secretlint "**/*"
SECRET.txt
1:8 error [EXAMPLE_MESSAGE] found secret: SECRET @secretlint/secretlint-rule-example
✖ 1 problem (1 error, 0 warnings)
This error's message id is EXAMPLE_MESSAGE
in @secretlint/secretlint-rule-example
.
If you want to ignore this error, please use allowMessageIds
.
1{ 2 "rules": [ 3 { 4 "id": "@secretlint/secretlint-rule-example", 5 "allowMessageIds": ["EXAMPLE_MESSAGE"] 6 } 7 ] 8}
When you use a preset like @secretlint/secretlint-rule-preset-recommend
, you need to put the option in rules
.
For example, If you want to ignore "AWSAccountID" and "AWSAccessKeyID" of "@secretlint/secretlint-rule-aws", you can write following.
1{ 2 "rules": [ 3 { 4 "id": "@secretlint/secretlint-rule-preset-recommend", 5 "rules": [ 6 { 7 "id": "@secretlint/secretlint-rule-aws", 8 "allowMessageIds": ["AWSAccountID", "AWSAccessKeyID"] 9 } 10 ] 11 } 12 ] 13}
Ignoring by comment
@secretlint/secretlint-rule-filter-comments supports ignoring comment like secretlint-disable
.
// secretlint-disable
THIS IS SECRET, BUT IT WILL BE IGNORED
// secretlint-enable
For more details, please see Configuring Secretlint.
Use Cases
Hide secrets in lint error message
Secretlint support --maskSecrets
option that mask secrets in lint error message.
It is useful that you want to hide secrets in CI logs.
1$ secretlint --maskSecrets "**/*"
Fix secrets
Secretlint can not fix the secrets automatically.
However, It is useful that --format=mask-result
mask the secrets of input file.
For example, you can mask the secrets of .zsh_history
file and overwrite it.
1$ secretlint .zsh_history --format=mask-result --output=.zsh_history
Rule Packages
Secretlint rules has been implemented as separated modules.
- @secretlint/secretlint-rule-npm
- @secretlint/secretlint-rule-aws
- @secretlint/secretlint-rule-gcp
- @secretlint/secretlint-rule-github
- @secretlint/secretlint-rule-privatekey
- @secretlint/secretlint-rule-basicauth
- @secretlint/secretlint-rule-slack
- @secretlint/secretlint-rule-sendgrid
- @secretlint/secretlint-rule-shopify
- @secretlint/secretlint-rule-openai
- @secretlint/secretlint-rule-linear
- @secretlint/secretlint-rule-secp256k1-privatekey
- @secretlint/secretlint-rule-no-k8s-kind-secret
- @secretlint/secretlint-rule-pattern
- @secretlint/secretlint-rule-no-homedir
- @secretlint/secretlint-rule-no-dotenv
Also, Secretlint provide rule preset that includes recommened rule set.
- @secretlint/secretlint-rule-preset-recommend
- Recommended rule set
Custom Rules
You can create own secretlint rule.
You want to get a secretlint rule for suitable your project and you can create it! A secretlint rule is a just npm package.
If you want to know creating secretlint rule, please see docs/secretlint-rule.md.
Integrations
Pre-commit Hook per project
You can use Secretlint with some pre-commit tool. This can prevent to commit secret data by linting with Secretlint.
Applying secretlint to the project and improve security on team developing.
Husky + lint-staged
Use Case: If you want to introduce secretlint to Node.js project, this combination is useful.
Install Husky and lint-staged:
npx husky-init && npm install lint-staged --save-dev
Add hooks to .husky/pre-commit
:
npx husky add .husky/pre-commit "npx --no-install lint-staged"
Edit package.json
:
1{ 2 // add "lint-staged" field 3 "lint-staged": { 4 "*": [ 5 "secretlint" 6 ] 7 } 8}
This means that check each staged file by Secretlint before commit.
pre-commit
Use Case: You have a project that is developing with Docker. Easy to integrate to secretlint.
Install pre-commit
# macOS. see also https://pre-commit.com/#install
brew install pre-commit
Create .pre-commit-config.yaml
:
- repo: local
hooks:
- id: secretlint
name: secretlint
language: docker_image
entry: secretlint/secretlint:latest secretlint
Example setup repository:
Bash Script
Alternately you can save this script as .git/hooks/pre-commit
and give it execute permission(chmod +x .git/hooks/pre-commit
):
1#!/bin/sh 2FILES=$(git diff --cached --name-only --diff-filter=ACMR | sed 's| |\\ |g') 3[ -z "$FILES" ] && exit 0 4 5# Secretlint all selected files 6echo "$FILES" | xargs ./node_modules/.bin/secretlint 7# If you using docker 8# echo "$FILES" | xargs docker run -v `pwd`:`pwd` -w `pwd` --rm secretlint/secretlint secretlint 9RET=$? 10if [ $RET -eq 0 ] ;then 11 exit 0 12else 13 exit 1 14fi
Pre-commit Hook globally
Use Case: If you want to check any project by secretlint, you can use global git hooks.
Git 2.9+ supports core.hooksPath
.
It allow to integrate secretlint globally.
We have created example git hooks project using secretlint + Docker.
- secretlint/git-hooks
- Requirement: Docker
You can set up by following steps:
1# clone this repository 2git clone https://github.com/secretlint/git-hooks git-hooks 3cd git-hooks 4# integrate secretlint to git hook globally 5git config --global core.hooksPath $(pwd)/hooks
After setup of core.hooksPath
, secretlint check any file before you commit it.
For more details, see secretlint/git-hooks project.
Node.js version also can be used for global git hook. If you interesting in it, please see @azu/git-hooks.
CI
GitHub Actions
If you already set secretlint Using Node.js, you can run secretlint with your configuration on GitHub Actions.
Put .github/workflows/secretlint.yml
in your repository.
1name: Secretlint 2on: [push, pull_request] 3permissions: 4 contents: read 5jobs: 6 test: 7 name: "Secretlint" 8 runs-on: ubuntu-latest 9 steps: 10 - name: checkout 11 uses: actions/checkout@v3 12 - name: setup Node.js 13 uses: actions/setup-node@v3 14 with: 15 node-version: 20 16 - name: Install 17 run: npm ci 18 - name: Lint with Secretlint 19 run: npx secretlint "**/*"
This configuration also integrate Pull Request review comment via actions/setup-node.
- Example Repository: https://github.com/secretlint/secretlint-github-actions-example
- Example Pull Request: https://github.com/secretlint/secretlint-github-actions-example/pull/1/files
If you want to only check diff files, please see following example:
1name: test-diff 2on: 3 push: 4 pull_request: 5jobs: 6 test-diff: 7 permissions: 8 contents: read 9 name: "Run secretlint to diff files" 10 runs-on: ubuntu-latest 11 steps: 12 - name: checkout 13 uses: actions/checkout@v4 14 with: 15 # fetch history to get all changed files on push or pull_request event 16 fetch-depth: 0 17 - name: Get changed files 18 id: changed-files 19 uses: tj-actions/changed-files@v44 20 - name: setup Node ${{ matrix.node-version }} 21 uses: actions/setup-node@v4 22 with: 23 node-version: 20 24 - name: Show changed files 25 run: echo "${{ steps.changed-files.outputs.all_changed_files }}" 26 - name: Install 27 if: steps.changed-files.outputs.any_changed == 'true' 28 run: npm ci 29 - name: Run secretlint 30 if: steps.changed-files.outputs.any_changed == 'true' 31 run: npx secretlint ${{ steps.changed-files.outputs.all_changed_files }}
Mega-Linter
Mega-Linter is a linters aggregator natively compliant with any CI tool, embedding 80+ linting apps, including secretlint by default.
You can install it on any repository project using the following command (Node.js must be installed previously)
1npx mega-linter-runner --install
Browser
Secretlint WebExtension works on your browser.
- Firefox: https://addons.mozilla.org/ja/firefox/addon/secretlint/
- Chrome: https://chrome.google.com/webstore/detail/secretlint/hidpojbnemkajlnibhmeilpgoddkjjkf
This web extension aim to founds credentials that are included in your request/response.
Secretlint WebExtension integrate to DevTools in Chrome/Firefox. This extension help web developer to notice exposed credential.
Others
SARIF format support
Please use @secretlint/secretlint-formatter-sarif.
npm install @secretlint/secretlint-formatter-sarif --dev
secretlint --format @secretlint/secretlint-formatter-sarif "**/*"
Semantic Versioning Policy
Secretlint project follow Semantic Versioning(secretlint-rule-preset-canary is exception).
- Patch release (intended to not break your lint build)
- A bug fix to the CLI or core (including formatters).
- Improvements to documentation.
- Non-user-facing changes such as refactoring.
- Re-releasing after a failed release (i.e., publishing a release that doesn't work for anyone).
- Minor release (might break your lint build)
- A new option.
- An existing rule is deprecated.
- A new CLI capability is created.
- New public API are added (new classes, new methods, new arguments to existing methods, etc.).
- It might break TypeScript definitions
- A new formatter is created.
- Major release (break your lint build)
- A new option to an existing rule that results in secretlint reporting more errors by default.
- An existing formatter is removed.
- Add new default rule to rule preset.
- Part of the public API is removed or changed in an incompatible way.
Motivation
- git-secrets is useful, but it is hard to setup per project.
- It main use-case is globally installation
- Secretlint want to install for a project and customize setting per project.
- repo-security-scanner, Gitleaks and truffleHog is good scan tools
- Secretlint need to flexible customize that include ignoring definitions, custom rules.
- detect-secrets is similar tools, but it adopts opt-out approach
- Secretlint adopts opt-in approach
- We also need to custom rules by user
- GitHub support secret scanning, but it only works after commit
push- Secretlint works on your local machine, Secretlint can prevent to commit
Philosophy
- Reduce false-positive of linting
- Integration to developing workflow
- Empower Users to Contribute
Opt-in instead of Opt-out
Secretlint adopt opt-in approach.
In our experience, linting tools that report various errors by default is difficult to use. Opt-in approach help to introduce Secretlint increasing.
It will help to reduce false-positive by configuration.
Rule as Documentation
We think a rule as a documentation. So, Each rule should have reasonable documentation.
We need to describe why this file is error. A rule that has not documentation, It is just a opinionated.
Describe the reason of error and then it will lead to reduce false-positive error.
Also, Secretlint CLI support hyperlink in Terminal. It means that you can jump to rule documentation from lint error message directly.
Example on iTerm 2: Cmd + Click error's messageId and open AWSSecretAccessKey on your browser.
If you want to know support terminal, please see Hyperlinks in Terminal Emulators.
Also, Welcome to Contribution about secretlint documentation!
Why Node.js?
- Package Manager
- Require package manager to realize flexible pluggable system
- Node.js has npm and yarn as package manager
- Package manager help to install custom plugin/rule by user
- Exist Reference Implementation
- Node.js already has pluggable linting tools like ESLint, textlint, stylelint etc
- So Node.js user familiar with pluggable linting tools
- Previously, I created textlint as same approach, so I familiar with Node.js
- Users
- JavaScript is Popular language
- It means that empower Users to Contribute
- Users can create own rule by own hand
Of course, secretlint also support Docker.
Changelog
See Releases page.
Contributing
Pull requests and stars are always welcome.
For bugs and feature requests, please create an issue.
See also, CONTRIBUTING.md and CODE_OF_CONDUCT.md
Add New Rule
You can use npm run gen:rule
command to create new rule.
1npm run gen:rule
For more details, please see CONTRIBUTING.md
Benchmark
Benchmark workflow is run on every commit.
Author
License
MIT © azu
No vulnerabilities found.
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish-artifact.yml:45
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/secretlint/.github/SECURITY.md:1
- Info: Found linked content: github.com/secretlint/.github/SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: github.com/secretlint/.github/SECURITY.md:1
Reason
SAST tool detected but not run on all commits
Details
- Info: SAST configuration detected: CodeQL
- Warn: 26 commits out of 30 are checked with a SAST tool
Reason
3 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
Reason
Found 1/25 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-diff.yml:8
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/benchmark.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24
- Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:25
- Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/codeql-analysis.yml:26
- Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql-analysis.yml:27
- Info: topLevel 'contents' permission set to 'read': .github/workflows/comment-publish-artifact.yml:10
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/create-release-pr.yml:15
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish-artifact.yml:11
- Warn: topLevel 'packages' permission set to 'write': .github/workflows/publish-artifact.yml:12
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish.yml:11
- Warn: no topLevel permission defined: .github/workflows/test-diff.yml:1
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:9
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact v9.0.0 not signed: https://api.github.com/repos/secretlint/secretlint/releases/179740637
- Warn: release artifact v8.5.0 not signed: https://api.github.com/repos/secretlint/secretlint/releases/179737095
- Warn: release artifact v8.4.0 not signed: https://api.github.com/repos/secretlint/secretlint/releases/178559699
- Warn: release artifact v8.3.3 not signed: https://api.github.com/repos/secretlint/secretlint/releases/178547108
- Warn: release artifact v8.3.2 not signed: https://api.github.com/repos/secretlint/secretlint/releases/178524561
- Warn: release artifact v9.0.0 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/179740637
- Warn: release artifact v8.5.0 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/179737095
- Warn: release artifact v8.4.0 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/178559699
- Warn: release artifact v8.3.3 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/178547108
- Warn: release artifact v8.3.2 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/178524561
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/benchmark.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/benchmark.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/benchmark.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/benchmark.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/benchmark.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/benchmark.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/codeql-analysis.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/codeql-analysis.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/codeql-analysis.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/codeql-analysis.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/comment-publish-artifact.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/comment-publish-artifact.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/comment-publish-artifact.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/comment-publish-artifact.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/comment-publish-artifact.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/comment-publish-artifact.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-release-pr.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/create-release-pr.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-release-pr.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/create-release-pr.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/create-release-pr.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/create-release-pr.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-artifact.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish-artifact.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/publish.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-diff.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test-diff.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-diff.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test-diff.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-diff.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test-diff.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test.yml/master?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test.yml/master?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/secretlint/secretlint/test.yml/master?enable=pin
- Warn: containerImage not pinned by hash: publish/docker/Dockerfile:1: pin your Docker image by updating node:20-alpine to node:20-alpine@sha256:b5b9467fe7b33aad47f1ec3f6e0646a658f85f05c18d4243024212a91f3b7554
- Warn: npmCommand not pinned by hash: publish/docker/Dockerfile:11-19
- Info: 0 out of 22 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 15 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
- Info: 0 out of 1 containerImage dependencies pinned
Score
5.5
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More