Reason

security policy file detected

Details

• Info: security policy file detected: SECURITY.md:1
• Info: Found linked content: SECURITY.md:1
• Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
• Info: Found text in security policy: SECURITY.md:1

Reason

all changesets reviewed

Reason

30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10

Reason

no dangerous workflow patterns detected

Reason

no binaries found in the repo

Reason

license file detected

Details

• Info: project has a license file: LICENSE.md:0
• Warn: project license file does not contain an FSF or OSI license.

Reason

SAST tool is not run on all commits -- score normalized to 9

Details

• Warn: 29 commits out of 30 are checked with a SAST tool

Reason

dependency not pinned by hash detected -- score normalized to 6

Details

• Warn: third-party GitHubAction not pinned by hash: .github/workflows/check_pr_title.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/check_pr_title.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/create-hotfix-branch.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/create-hotfix-branch.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-npm.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/deploy-npm.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-npm.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/deploy-npm.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-sanity-suite.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/deploy-sanity-suite.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy-sanity-suite.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/deploy-sanity-suite.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/deploy.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/deploy.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/draft-new-release.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/draft-new-release.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/draft-new-release.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/draft-new-release.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/draft-new-release.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/draft-new-release.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/housekeeping.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/housekeeping.yaml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/housekeeping.yaml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/housekeeping.yaml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-new-release.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/publish-new-release.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-new-release.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/publish-new-release.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rollback.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/rollback.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rollback.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/rollback.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rollback.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/rollback.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rollback.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/rollback.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-code-quality-and-bundle-size-checks.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/security-code-quality-and-bundle-size-checks.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-code-quality-and-bundle-size-checks.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/security-code-quality-and-bundle-size-checks.yml/develop?enable=pin
• Warn: third-party GitHubAction not pinned by hash: .github/workflows/security-code-quality-and-bundle-size-checks.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/security-code-quality-and-bundle-size-checks.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-code-quality-and-bundle-size-checks.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/security-code-quality-and-bundle-size-checks.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-code-quality-and-bundle-size-checks.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/security-code-quality-and-bundle-size-checks.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/trigger-test-suites.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/trigger-test-suites.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests-and-lint.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/unit-tests-and-lint.yml/develop?enable=pin
• Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit-tests-and-lint.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/rudderlabs/rudder-sdk-js/unit-tests-and-lint.yml/develop?enable=pin
• Warn: npmCommand not pinned by hash: .github/workflows/draft-new-release.yml:104
• Info: 0 out of 25 GitHub-owned GitHubAction dependencies pinned
• Info: 15 out of 17 third-party GitHubAction dependencies pinned
• Info: 0 out of 1 npmCommand dependencies pinned

Reason

branch protection is not maximal on development and all release branches

Details

• Info: 'allow deletion' disabled on branch 'develop'
• Info: 'force pushes' disabled on branch 'develop'
• Warn: 'branch protection settings apply to administrators' is disabled on branch 'develop'
• Info: 'stale review dismissal' is required to merge on branch 'develop'
• Warn: required approving review count is 1 on branch 'develop'
• Info: codeowner review is required on branch 'develop'
• Info: 'last push approval' is required to merge on branch 'develop'
• Warn: 'up-to-date branches' is disabled on branch 'develop'
• Info: status check found to merge onto on branch 'develop'
• Info: PRs are required in order to make changes on branch 'develop'

Reason

5 existing vulnerabilities detected

Details

• Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
• Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
• Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
• Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
• Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99

Reason

no effort to earn an OpenSSF best practices badge detected

Reason

detected GitHub workflow tokens with excessive permissions

Details

• Warn: no topLevel permission defined: .github/workflows/check_pr_title.yml:1
• Warn: no topLevel permission defined: .github/workflows/create-hotfix-branch.yml:1
• Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-beta.yml:12
• Warn: no topLevel permission defined: .github/workflows/deploy-dev.yml:1
• Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-npm.yml:22
• Warn: no topLevel permission defined: .github/workflows/deploy-prod.yml:1
• Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-sanity-suite.yml:36
• Warn: no topLevel permission defined: .github/workflows/deploy-staging.yml:1
• Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy.yml:48
• Warn: no topLevel permission defined: .github/workflows/draft-new-release.yml:1
• Warn: no topLevel permission defined: .github/workflows/housekeeping.yaml:1
• Warn: no topLevel permission defined: .github/workflows/publish-new-release.yml:1
• Warn: topLevel 'contents' permission set to 'write': .github/workflows/rollback.yml:12
• Warn: no topLevel permission defined: .github/workflows/security-code-quality-and-bundle-size-checks.yml:1
• Warn: no topLevel permission defined: .github/workflows/trigger-test-suites.yml:1
• Warn: no topLevel permission defined: .github/workflows/unit-tests-and-lint.yml:1
• Warn: no topLevel permission defined: .github/workflows/validate-actor.yml:1
• Info: no jobLevel write permissions found

Reason

project is not fuzzed

Details

• Warn: no fuzzer integrations found