Reason

no dangerous workflow patterns detected

Reason

no binaries found in the repo

Reason

0 existing vulnerabilities detected

Reason

license file detected

Details

• Info: project has a license file: LICENSE:0
• Warn: project license file does not contain an FSF or OSI license.

Reason

dependency not pinned by hash detected -- score normalized to 3

Details

• Warn: third-party GitHubAction not pinned by hash: .github/workflows/automerge.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/automerge.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:127: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:142: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:170: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:176: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:177: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:156: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/js-test-and-release.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/js-test-and-release.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/semantic-pull-request.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/semantic-pull-request.yml/master?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/stale.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/libp2p/js-libp2p-crypto/stale.yml/master?enable=pin
• Info: 0 out of 22 GitHub-owned GitHubAction dependencies pinned
• Info: 9 out of 24 third-party GitHubAction dependencies pinned

Reason

Found 8/27 approved changesets -- score normalized to 2

Reason

project is archived

Details

• Warn: Repository is archived.

Reason

detected GitHub workflow tokens with excessive permissions

Details

• Warn: no topLevel permission defined: .github/workflows/automerge.yml:1
• Warn: no topLevel permission defined: .github/workflows/js-test-and-release.yml:1
• Warn: no topLevel permission defined: .github/workflows/semantic-pull-request.yml:1
• Info: no jobLevel write permissions found

Reason

no effort to earn an OpenSSF best practices badge detected

Reason

project is not fuzzed

Details

• Warn: no fuzzer integrations found

Reason

branch protection not enabled on development/release branches

Details

• Warn: branch protection not enabled for branch 'master'

Reason

security policy file not detected

Details

• Warn: no security policy file detected
• Warn: no security file to analyze
• Warn: no security file to analyze
• Warn: no security file to analyze

Reason

SAST tool is not run on all commits -- score normalized to 0

Details

• Warn: 0 commits out of 13 are checked with a SAST tool