Gathering detailed insights and metrics for npm-groovy-lint
Gathering detailed insights and metrics for npm-groovy-lint
Installations
npm install npm-groovy-lintDeveloper
Developer Guide
BETA
Module System
ESM
Min. Node Version
>=20.0.0
Typescript Support
Yes
Node Version
20.17.0
NPM Version
10.8.2
Statistics
209 Stars
439 Commits
65 Forks
6 Watching
12 Branches
25 Contributors
Updated on 26 Nov 2024
Languages
JavaScript (72.59%)
Groovy (27.2%)
Dockerfile (0.21%)
Total Downloads
Cumulative downloads
Total Downloads
1,681,459
Last day
-4.2%
2,503
Compared to previous day
Last week
9.9%
13,917
Compared to previous week
Last month
9.7%
59,094
Compared to previous month
Last year
67.9%
650,919
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
17
Versions
NPM GROOVY LINT (+ Format & Auto-fix)
Groovy & Jenkinsfile Linter, Formatter and Auto-fixer
New: The article about the story of npm-groovy-lint, and why you should dive in open-source community !
Based on CodeNarc , this out of the box package allows to track groovy errors and correct a part of them
- Use option --format to format & prettify source code
- Use option --fix to activate autofixing of fixable rules
Easy to integrate in a CI/CD process (Jenkins Pipeline,CircleCI...) to lint your groovy or Jenkinsfile at each build :)
You can also use this package in :
- Visual Studio Code Groovy Lint extension
- Mega-Linter (can be used as GitHub Action, and lints all other languages and formats)
- Docker Image
See CHANGELOG
Any question, problem or enhancement request ? Ask here :)
Usage
1 npm-groovy-lint [OPTIONS] [FILES|PATH|PATTERN]
| Parameter | Type | Description |
|---|---|---|
| -o --output | String | Output format (txt,json,sarif,html,xml), or path to a file with one of these extensions Default: txtExamples: - "txt"- "json"- "./logs/myLintResults.txt"- "./logs/myLintResults.sarif"- "./logs/myLintResults.html"- "./logs/myLintResults.xml"Note: HTML and XML are directly from CodeNarc so using these formats will disable many npm-groovy-lint features |
| -l --loglevel | String | Log level (error,warning or info) Default: info |
| --failon | String | Defines the error level where CLI will fail (return code = 1). error,warning,info or none. Each failure level includes the more critical ones. |
| -c --config | String | Custom path to GroovyLint config file, or preset config recommended|recommended-jenkinsfile|allDefault: Browse current directory to find .groovylintrc.json|js|yml|package.json config file, or default npm-groovy-lint config if not defined.Note: command-line arguments have priority on config file properties |
| --parse | Boolean | Try to compile the source code and return parse errors (since v5.7.0, default to true, use --no-parse to deactivate) |
| --format | Boolean | Format source code |
| --fix | Boolean | Automatically fix problems when possible See Auto-fixable rules |
| -x --fixrules | String | Option for --fix argument: List of rule identifiers to fix (if not specified, all available fixes will be applied). See Auto-fixable rules Examples: - "SpaceBeforeClosingBrace,SpaceAfterClosingBrace,UnusedImport"- "Indentation" |
| --nolintafter | Boolean | When format or fix is called, a new lint is performed after the fixes to update the returned error list. If you just want the updated source code and do not care about the error logs, use this parameter to improve performances |
| -r --rulesets | String | RuleSet file(s) to use for linting, if you do not want to use recommended rules or .groovylintrc.js defined rules. If list of comma separated strings corresponding to CodeNarc rules, a RuleSet file will be dynamically generated Examples: - "./config/codenarc/RuleSet-Custom.groovy"- "./path/to/my/ruleset/files"- Indentation{"spacesPerIndentLevel":2,"severity":"warning"},UnnecessarySemicolon,UnnecessaryGString |
| --rulesetsoverridetype | String | If list of rules sent in rulesets option, defines if they replace rules defined in .groovylintrc.json, or if they are appended Values: replaceConfig (default), appendConfig |
| -s --source | String | If path and files are not set, you can directly send the source code string to analyze |
| --verbose | Boolean | More outputs in console, including performed fixes |
| -i --ignorepattern | String | Comma-separated list of Ant-style file patterns specifying files that must be ignored Default: none Example: "**/test/*"" |
| --noserver | Boolean | npm-groovy-lint launches a microservice to avoid performance issues caused by loading java/groovy each time,that auto kills itself after 1h idle. Use this argument if you do not want to use this feature |
| --returnrules | Boolean | Return rules descriptions and URL if set |
| --javaexecutable | String | Override java executable to use Default: java Example: C:\Program Files\Java\jdk1.8.0_144\bin\java.exe |
| --javaoptions | String | Override java options to use Default: "-Xms256m,-Xmx2048m" |
| --insight | Boolean | npm-groovy-lint collects anonymous usage statistics using amplitude, in order to make new improvements based on how users use this package. Summary charts are available at https://tinyurl.com/groovy-stats. Analytics obviously does not receive sensitive information like your code, as you can see in analytics.js. If you want to enable anonymous usage statistics, use --insight option. |
| --codenarcargs | String | Use core CodeNarc arguments (all npm-groovy-lint arguments will be ignored) Doc: http://codenarc.github.io/CodeNarc/codenarc-command-line.html Example: npm-groovy-lint --codenarcargs -basedir="lib/example" -rulesetfiles="file:lib/example/RuleSet-Groovy.groovy" -maxPriority1Violations=0 -report="xml:ReportTestCodenarc.xml |
| -h --help | Boolean | Show help (npm-groovy-lint -h OPTIONNAME to see option detail with examples) |
| -v --version | Boolean | Show npm-groovy-lint version (with CodeNarc version) |
| -p --path | String | (DEPRECATED) Directory containing the files to lint Example: ./path/to/my/groovy/files |
| -f --files | String | (DEPRECATED) Comma-separated list of Ant-style file patterns specifying files that must be included. Default: "**/*.groovy,**/Jenkinsfile,**/*.gradle"Examples: - "**/Jenkinsfile"- "**/*.groovy"- "**/*.gradle"- "**/mySingleFile.groovy" |
Example calls
- Lint a file
1 npm-groovy-lint path/to/my/groovy/file.groovy
- Lint multiple files
1 npm-groovy-lint path/to/my/groovy/file.groovy path/to/my/groovy/file2.groovy path/to/my/groovy/file3.groovy
- Lint directory
1 npm-groovy-lint path/to/my/groovy
- Lint pattern
1 npm-groovy-lint path/to/my/groovy/*.groovy
- Lint groovy with JSON output
1 npm-groovy-lint --output json
- Format files
1 npm-groovy-lint --format my/path/to/file.groovy my/path/to/file2.groovy
- Format and fix files
1 npm-groovy-lint --fix my/path/to/file.groovy my/path/to/file2.groovy
- Get formatted sources in stdout from stdin
1 cat path/to/my/Jenkinsfile | npm-groovy-lint --format -
- Advanced config
1 npm-groovy-lint --path "./path/to/my/groovy/files" --files "**/*.groovy" --config "./config/codenarc/.groovylintrcCustom.js" --loglevel warning --output txt
- Lint using core CodeNarc parameters and generate HTML report file
1 npm-groovy-lint --codenarcargs -basedir="lib/example" -rulesetfiles="file:lib/example/RuleSet-Groovy.groovy" -title="TestTitleCodenarc" -maxPriority1Violations=0' -report="html:ReportTestCodenarc.html"
Installation
1 npm install -g npm-groovy-lint
- If you have issues with v9, install previous version with
npm install -g npm-groovy-lint@8.2.0 - Node.js >= 12 is required to run this package. If you can't upgrade, you can use nvm to have different node versions on your computer
- If you do not have java 17 installed on your computer, npm-groovy-lint will install them for you, so the first run may be long.
Configuration
Default rules definition (recommended, based on all tracks a lot of errors, do not hesitate to ignore some of them (like NoDef ou RequiredVariableType) if they are too mean for your project.
Create a file named .groovylintrc.json in the current or any parent directory of where your files to analyze are located
- your-repo-root-folder
- src
- groovy
- mygroovyfile.groovy
- groovy
- Jenkinsfile
- .groovylintrc.json (do not forget the dot at the beginning of the file name)
- src
If you are using VsCode Groovy Lint extension, just use QuickFix Ignore in all files and it will generate groovylintrc.json file.
Format
- extends: Name of a base configuration (
recommended,recommended-jenkinsfile,all) - rules: List of rules definition, following format
"RuleSection.RuleName": ruleParametersor"RuleName": ruleParameters- RuleName: any of the CodeNarc rules
- ruleParameters: can be just a severity override (
"off","error","warning","info") , or a property list :- severity : off,error,warning,info
- enabled : true (default) or false
- any of the rule advanced properties
OR
- codenarcRulesets: Comma-separated string containing the list of
.xmlor.groovyCodeNarc RuleSet files (in case you already are a CodeNarc user and do not wish to switch to npm-groovy-lint config format)
Examples
1{ 2 "extends": "recommended", 3 "rules": { 4 "comments.ClassJavadoc": "off", 5 "formatting.Indentation": { 6 "spacesPerIndentLevel": 4, 7 "severity": "info" 8 }, 9 "UnnecessaryReturnKeyword": "error" 10 } 11}
1{ 2 "extends": "recommended-jenkinsfile", 3 "rules": { 4 "CouldBeElvis": "off", 5 "CouldBeSwitchStatement": "off", 6 "VariableName": { 7 "severity": "info" 8 } 9 } 10}
1{ 2 "codenarcRulesets": "RuleSet-1.groovy,RuleSet-2.groovy" 3}
Disabling rules in source
You can disable rules directly by adding comment in file, using eslint style
To temporarily disable rule warnings in your file, use block comments in the following format:
1/* groovylint-disable */ 2 3def variable = 1; 4 5/* groovylint-enable */
You can also disable or enable warnings for specific rules:
1/* groovylint-disable NoDef, UnnecessarySemicolon */ 2 3def variable = 1; 4 5/* groovylint-enable NoDef, UnnecessarySemicolon */
To disable rule warnings in an entire file, put a /* groovylint-disable */ block comment at the top of the file:
1/* groovylint-disable */ 2 3def variable = 1;
You can also disable or enable specific rules for an entire file:
1/* groovylint-disable NoDef */ 2 3def variable = 1;
To disable all rules on a specific line, use a line or block comment in one of the following formats:
1def variable = 1; // groovylint-disable-line 2 3// groovylint-disable-next-line 4def variable = 1; 5 6/* groovylint-disable-next-line */ 7def variable = 1; 8 9def variable = 1; /* groovylint-disable-line */
To disable a specific rule on a specific line:
1def variable = 1; // groovylint-disable-line NoDef 2 3// groovylint-disable-next-line NoDef 4def variable = 1; 5 6def variable = 1; /* groovylint-disable-line NoDef */ 7 8/* groovylint-disable-next-line NoDef */ 9def variable = 1;
To disable multiple rules on a specific line:
1def variable = 1; // groovylint-disable-line NoDef, UnnecessarySemicolon 2 3// groovylint-disable-next-line NoDef, UnnecessarySemicolon 4def variable = 1; 5 6def variable = 1; /* groovylint-disable-line NoDef, UnnecessarySemicolon */ 7 8/* groovylint-disable-next-line NoDef, UnnecessarySemicolon */ 9def variable = 1;
Auto-Fixable rules
- AssignmentInConditional
- BlankLineBeforePackage
- BlockEndsWithBlankLine
- BlockStartsWithBlankLine
- BracesForClass
- BracesForForLoop
- BracesForIfElse
- BracesForMethod
- BracesForTryCatchFinally
- ClassEndsWithBlankLine
- ClassStartsWithBlankLine
- ClosingBraceNotAlone
- ConsecutiveBlankLines
- DuplicateImport
- ElseBlockBraces
- ExplicitArrayListInstantiation
- ExplicitLinkedListInstantiation
- FileEndsWithoutNewline
- IfStatementBraces
- Indentation
- IndentationClosingBraces
- IndentationComments
- InsecureRandom
- MisorderedStaticImports
- MissingBlankLineAfterImports
- MissingBlankLineAfterPackage
- NoTabCharacter
- SpaceAfterCatch
- SpaceAfterComma
- SpaceAfterFor
- SpaceAfterIf
- SpaceAfterOpeningBrace
- SpaceAfterSemicolon
- SpaceAfterSwitch
- SpaceAfterWhile
- SpaceAroundOperator
- SpaceBeforeClosingBrace
- SpaceBeforeOpeningBrace
- TrailingWhitespace
- UnnecessaryDefInFieldDeclaration
- UnnecessaryDefInMethodDeclaration
- UnnecessaryDefInVariableDeclaration
- UnnecessaryDotClass
- UnnecessaryFinalOnPrivateMethod
- UnnecessaryGString
- UnnecessaryGroovyImport
- UnnecessaryPackageReference
- UnnecessaryParenthesesForMethodCallWithClosure
- UnnecessarySemicolon
- UnnecessaryToString
- UnusedImport
Contribute to add more rules fixes :)
CI/CD
Mega-Linter
Latest npm-groovy-lint version is natively integrated in Mega-Linter, that you can use as GitHub action or in other CI tools This tool can also automatically apply fixes on Pull Request branches
CircleCI
1# .circleci/config.yml 2version: 2.1 3jobs: 4 lint: 5 docker: 6 - image: nvuillam/npm-groovy-lint 7 steps: 8 - checkout 9 10 - run: | 11 npm-groovy-lint 12 13workflows: 14 version: 2 15 "lint": 16 jobs: 17 - lint
Jenkins
1node { 2 checkout scm 3 docker.image('nvuillam/npm-groovy-lint').inside { 4 sh 'npm-groovy-lint' 5 } 6}
Shell
Run with default settings
1docker run --rm -u "$(id -u):$(id -g)" -w=/tmp -v "$PWD":/tmp nvuillam/npm-groovy-lint
Run with additional flags by simply appending them at after docker image name:
1docker run --rm -u "$(id -u):$(id -g)" -w=/tmp -v "$PWD":/tmp nvuillam/npm-groovy-lint --failon warning --verbose
Other
You can run npm-groovy-lint using its official docker image
Use as module
You can import npm-groovy-lint into your NPM package and call lint & fix via module, using the same options than from npm-groovy-lint command line
Example
1 npm install npm-groovy-lint --save
1 const NpmGroovyLint = require("npm-groovy-lint/lib/groovy-lint.js"); 2 const fse = require("fs-extra"); 3 4 const npmGroovyLintConfig = { 5 source: fse.readFileSync('./lib/example/SampleFile.groovy').toString(), 6 fix: true, 7 loglevel: 'warning', 8 output: 'none' 9 }; 10 const linter = new NpmGroovyLint(npmGroovyLintConfig, {}); 11 await linter.run(); 12 console.log(JSON.stringify(linter.lintResult));
Troubleshooting
If you have issues with MegaLinter, you can report it on the repository
To help reproducing, you can access advanced logs using DEBUG env variables
Examples:
DEBUG=npm-groovy-lint npm-groovy-lint ....DEBUG=npm-groovy-lint,npm-groovy-lint-trace npm-groovy-lint ....
If you want to see what happens in CodeNarc Server, you can clone the repo and run locally npm server:run before running npm-groovy-lint: you'll see the live logs of the to CodeNarc Server for npm-groovy-lint.
Contribute
Contributions are very welcome !
Please follow Contribution instructions
Thanks
Other packages used
- CodeNarc: groovy lint
- java-caller: Easy call Java commands from Node
- slf4j: logging for CodeNarc
- log4j: logging for CodeNarc
- GMetrics: Code measures for CodeNarc
- Inspiration from eslint about configuration and run patterns
Contributors
 |  |  |  |  |  |
|---|---|---|---|---|---|
| Nicolas Vuillamy | Dave Gallant | Howard Lo | Pawel Kopka | docwhat | CatSue |
Release notes
See complete CHANGELOG
Stable Version
The latest stable version of the package.
Stable Version
15.0.2
CRITICAL
1
CRITICAL
0/10
Summary
Remote Code Execution in npm-groovy-lint
Affected Versions
< 9.1.0
Patched Versions
9.1.0
Reason
15 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build-deploy-docs.yml:17
- Info: jobLevel permissions set to 'read-all': .github/workflows/deploy-BETA.yml:32
- Info: jobLevel permissions set to 'read-all': .github/workflows/deploy-BETA.yml:57
- Info: jobLevel permissions set to 'read-all': .github/workflows/deploy-RELEASE.yml:29
- Info: jobLevel permissions set to 'read-all': .github/workflows/deploy-RELEASE.yml:53
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/mega-linter.yml:32
- Info: topLevel permissions set to 'read-all': .github/workflows/build-deploy-docs.yml:8
- Info: topLevel permissions set to 'read-all': .github/workflows/deploy-BETA.yml:17
- Info: topLevel permissions set to 'read-all': .github/workflows/deploy-RELEASE.yml:16
- Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:12
- Info: topLevel permissions set to 'read-all': .github/workflows/mega-linter.yml:22
- Info: topLevel permissions set to 'read-all': .github/workflows/stale.yml:15
- Info: topLevel permissions set to 'read-all': .github/workflows/test.yml:5
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/deploy-BETA.yml:29
Reason
1 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
Reason
dependency not pinned by hash detected -- score normalized to 2
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-deploy-docs.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/build-deploy-docs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-deploy-docs.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/build-deploy-docs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-deploy-docs.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/build-deploy-docs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-deploy-docs.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/build-deploy-docs.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-deploy-docs.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/build-deploy-docs.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-BETA.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-BETA.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy-RELEASE.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/deploy-RELEASE.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/lint.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/mega-linter.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/mega-linter.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/mega-linter.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/mega-linter.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/mega-linter.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/mega-linter.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/mega-linter.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/mega-linter.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/mega-linter.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/mega-linter.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/stale.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/nvuillam/npm-groovy-lint/test.yml/main?enable=pin
- Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.20.2 to alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5
- Warn: npmCommand not pinned by hash: Dockerfile:7-8
- Warn: pipCommand not pinned by hash: .github/workflows/build-deploy-docs.yml:28
- Info: 0 out of 19 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 16 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 containerImage dependencies pinned
- Info: 6 out of 7 npmCommand dependencies pinned
- Info: 0 out of 1 pipCommand dependencies pinned
Reason
Found 1/12 approved changesets -- score normalized to 0
Reason
binaries present in source code
Details
- Warn: binary detected: lib/java/CodeNarc-3.5.0.jar:1
- Warn: binary detected: lib/java/CodeNarcServer.jar:1
- Warn: binary detected: lib/java/GMetrics-2.1.0.jar:1
- Warn: binary detected: lib/java/commons-compiler-3.1.11.jar:1
- Warn: binary detected: lib/java/groovy/lib/ant-1.10.11.jar:1
- Warn: binary detected: lib/java/groovy/lib/ant-launcher-1.10.11.jar:1
- Warn: binary detected: lib/java/groovy/lib/commons-cli-1.4.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-3.0.9.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-ant-3.0.9.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-cli-commons-3.0.9.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-dateutil-3.0.9.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-json-3.0.9.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-templates-3.0.9.jar:1
- Warn: binary detected: lib/java/groovy/lib/groovy-xml-3.0.9.jar:1
- Warn: binary detected: lib/java/jackson-annotations-2.16.0.jar:1
- Warn: binary detected: lib/java/jackson-core-2.16.0.jar:1
- Warn: binary detected: lib/java/jackson-databind-2.16.0.jar:1
- Warn: binary detected: lib/java/janino-3.1.11.jar:1
- Warn: binary detected: lib/java/logback-classic-1.4.14.jar:1
- Warn: binary detected: lib/java/logback-core-1.4.14.jar:1
- Warn: binary detected: lib/java/slf4j-api-2.0.9.jar:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 27 are checked with a SAST tool
Score
5.2
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More