Reason

30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10

Reason

no dangerous workflow patterns detected

Reason

no binaries found in the repo

Reason

license file detected

Details

• Info: project has a license file: LICENSE:0
• Info: FSF or OSI recognized license: MIT License: LICENSE:0

Reason

packaging workflow detected

Details

• Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish.yml:16

Reason

Found 17/28 approved changesets -- score normalized to 6

Reason

dependency not pinned by hash detected -- score normalized to 2

Details

• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/gemini-testing/html-reporter/node.js.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/node.js.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/gemini-testing/html-reporter/node.js.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/gemini-testing/html-reporter/publish.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/gemini-testing/html-reporter/publish.yml/master?enable=pin
• Warn: containerImage not pinned by hash: test/func/docker/Dockerfile:1: pin your Docker image by updating node:18-slim to node:18-slim@sha256:29752c4f06579d48b504ee569dbe3625374d31f37da1c3b411455ec196f113be
• Info: 0 out of 4 GitHub-owned GitHubAction dependencies pinned
• Info: 0 out of 1 containerImage dependencies pinned
• Info: 2 out of 2 npmCommand dependencies pinned

Reason

detected GitHub workflow tokens with excessive permissions

Details

• Warn: no topLevel permission defined: .github/workflows/node.js.yml:1
• Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish.yml:14
• Info: no jobLevel write permissions found

Reason

no effort to earn an OpenSSF best practices badge detected

Reason

security policy file not detected

Details

• Warn: no security policy file detected
• Warn: no security file to analyze
• Warn: no security file to analyze
• Warn: no security file to analyze

Reason

project is not fuzzed

Details

• Warn: no fuzzer integrations found

Reason

SAST tool is not run on all commits -- score normalized to 0

Details

• Warn: 0 commits out of 21 are checked with a SAST tool

Reason

62 existing vulnerabilities detected

Details

• Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw
• Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25
• Warn: Project is vulnerable to: GHSA-8hc4-vh64-cxmj
• Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
• Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
• Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw
• Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
• Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
• Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
• Warn: Project is vulnerable to: GHSA-hr2v-3952-633q
• Warn: Project is vulnerable to: GHSA-h6ch-v84p-w6p9
• Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm
• Warn: Project is vulnerable to: GHSA-434g-2637-qmqr
• Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m
• Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw
• Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p
• Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
• Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
• Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
• Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp
• Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5
• Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27
• Warn: Project is vulnerable to: GHSA-9qmh-276g-x5pj
• Warn: Project is vulnerable to: GHSA-33f9-j839-rf8h
• Warn: Project is vulnerable to: GHSA-c36v-fmgq-m8hx
• Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22
• Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp
• Warn: Project is vulnerable to: GHSA-fvqr-27wr-82fm
• Warn: Project is vulnerable to: GHSA-4xc9-xhrj-v574
• Warn: Project is vulnerable to: GHSA-x5rq-j2xg-h7qm
• Warn: Project is vulnerable to: GHSA-jf85-cpcp-j695
• Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw
• Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9
• Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
• Warn: Project is vulnerable to: GHSA-4xcv-9jjx-gfj3
• Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
• Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
• Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h
• Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
• Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5
• Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp
• Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq
• Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr
• Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765
• Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g
• Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
• Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
• Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp
• Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm
• Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
• Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
• Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
• Warn: Project is vulnerable to: GHSA-54xq-cgqr-rpm3
• Warn: Project is vulnerable to: GHSA-7xcx-6wjh-7xp2
• Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v
• Warn: Project is vulnerable to: GHSA-8jhw-289h-jh2g
• Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986 / GHSA-64vr-g452-qvp3
• Warn: Project is vulnerable to: GHSA-9cwx-2883-4wfx
• Warn: Project is vulnerable to: GHSA-vg6x-rcgg-rjx6
• Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
• Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
• Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp