OpenSSF Scorecard Results
- 1 What is OpenSSF Scorecard?
- 1.1 How to run Scorecard with Docker
- 1.2 Results
- 1.2.1 policy/clamp
- 1.2.2 policy/parent
- 1.2.3 policy/models
- 1.2.4 policy/common
- 1.2.5 policy/docker
- 1.2.6 policy/api
- 1.2.7 policy/pap
- 1.2.8 policy/apex-pdp
- 1.2.9 policy/xacml-pdp
- 1.2.10 policy/opa-pdp
- 1.2.11 policy/drools-pdp
- 1.2.12 policy/drools-applications
- 1.2.13 policy/distribution
- 1.3 Useful links
What is OpenSSF Scorecard?
OpenSSF Scorecard aims to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
How to run Scorecard with Docker
Please make sure you have generated a Github personal access token prior to running Scorecard: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic
docker pull gcr.io/openssf/scorecard:stable
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=<REPO_URL>
Results
At a glance:
policy/clamp | 5.0/10 |
policy/parent | 4.0/10 |
policy/models | 4.0/10 |
policy/common | 4.4/10 |
policy/docker | 4.8/10 |
policy/api | 4.4/10 |
policy/pap | 4.4/10 |
policy/apex-pdp | 4.3/10 |
policy/xacml-pdp | 4.4/10 |
policy/opa-pdp | 3.5/10 |
policy/drools-pdp | 4.1/10 |
policy/drools-applications | 4.4/10 |
policy/distribution | 2.8/10 |
policy/clamp
Starting [Dangerous-Workflow]
Starting [SAST]
Starting [Pinned-Dependencies]
Starting [Branch-Protection]
Starting [Security-Policy]
Starting [Code-Review]
Starting [Binary-Artifacts]
Starting [Token-Permissions]
Starting [License]
Starting [CII-Best-Practices]
Starting [Dependency-Update-Tool]
Starting [Vulnerabilities]
Starting [Signed-Releases]
Starting [Contributors]
Starting [CI-Tests]
Starting [Fuzzing]
Starting [Maintained]
Starting [Packaging]
Aggregate score: 5.0 / 10
Check scores:
Finished [CI-Tests]
Finished [Fuzzing]
Finished [Maintained]
Finished [Packaging]
Finished [Dangerous-Workflow]
Finished [SAST]
Finished [Pinned-Dependencies]
Finished [Branch-Protection]
Finished [Security-Policy]
Finished [Code-Review]
Finished [Binary-Artifacts]
Finished [Token-Permissions]
Finished [License]
Finished [CII-Best-Practices]
Finished [Dependency-Update-Tool]
Finished [Vulnerabilities]
Finished [Signed-Releases]
Finished [Contributors]
RESULTS
-------
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 7 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations | from: at&t, ericsson, ericsson | |
| | | | software technology, huawei, | |
| | | | nephio-project, onap, sidero | |
| | | | ltd | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/gerrit-clamp-performance-test.yaml:75: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/onap/policy-clamp/gerrit-clamp-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-clamp-performance-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-clamp/gerrit-clamp-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-clamp-performance-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-clamp/gerrit-clamp-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-clamp-stability-test.yaml:75: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-clamp/gerrit-clamp-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-clamp-stability-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-clamp/gerrit-clamp-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-clamp-stability-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-clamp/gerrit-clamp-stability-test.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/A1pmsParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/A1pmsParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/A1pmsParticipant.Dockerfile:21 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/A1pmsParticipant.Dockerfile:26 Warn: containerImage not pinned | |
| | | | by hash: packages/policy-clamp-docker/src/main/docker/AcmRuntime-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/AcmRuntime-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/AcmRuntime.Dockerfile:21 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/AcmRuntime.Dockerfile:26 Warn: containerImage not pinned by | |
| | | | hash: packages/policy-clamp-docker/src/main/docker/ElementParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/ElementParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/ElementParticipant.Dockerfile:21 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/ElementParticipant.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/HttpParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/HttpParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/HttpParticipant.Dockerfile:21 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/HttpParticipant.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/KserveParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/KserveParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/KserveParticipant.Dockerfile:21 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/KserveParticipant.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/KubernetesParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/KubernetesParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/KubernetesParticipant.Dockerfile:21 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/KubernetesParticipant.Dockerfile:26 Warn: containerImage not pinned | |
| | | | by hash: packages/policy-clamp-docker/src/main/docker/PolicyParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/PolicyParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/PolicyParticipant.Dockerfile:21 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/PolicyParticipant.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-clamp-docker/src/main/docker/SimParticipant-Suse.Dockerfile:21 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/SimParticipant-Suse.Dockerfile:26: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-clamp-docker/src/main/docker/SimParticipant.Dockerfile:21 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-clamp-docker/src/main/docker/SimParticipant.Dockerfile:26 | |
| | | | Info: 0 out of 6 GitHub-owned GitHubAction dependencies pinned Info: 0 out of 32 containerImage | |
| | | | dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/gerrit-clamp-performance-test.yaml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-clamp-stability-test.yaml:1 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/parent
Starting [CI-Tests]
Starting [Dangerous-Workflow]
Starting [Vulnerabilities]
Starting [Binary-Artifacts]
Starting [Code-Review]
Starting [Maintained]
Starting [SAST]
Starting [Contributors]
Starting [Fuzzing]
Starting [Dependency-Update-Tool]
Starting [Packaging]
Starting [Signed-Releases]
Starting [CII-Best-Practices]
Starting [License]
Starting [Token-Permissions]
Starting [Pinned-Dependencies]
Starting [Branch-Protection]
Starting [Security-Policy]
Finished [Binary-Artifacts]
Finished [Code-Review]
Finished [Maintained]
Finished [SAST]
Finished [Contributors]
Finished [Fuzzing]
Finished [Dependency-Update-Tool]
Finished [Packaging]
Finished [Signed-Releases]
Finished [CII-Best-Practices]
Finished [License]
Finished [Token-Permissions]
Finished [Pinned-Dependencies]
Finished [Branch-Protection]
Finished [Security-Policy]
Finished [CI-Tests]
Finished [Dangerous-Workflow]
Finished [Vulnerabilities]
RESULTS
-------
Aggregate score: 4.0 / 10
Check scores:
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 5 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations | from: bell canada, ericsson, | |
| | | | nephio-project, onap, sidero | |
| | | | ltd | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | Warn: no dependency update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool configurations found | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 16 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Pinned-Dependencies | no dependencies found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/models
Starting [Signed-Releases]
Starting [License]
Starting [Code-Review]
Starting [Packaging]
Starting [Token-Permissions]
Starting [CII-Best-Practices]
Starting [Dependency-Update-Tool]
Starting [Branch-Protection]
Starting [Binary-Artifacts]
Starting [Pinned-Dependencies]
Starting [SAST]
Starting [Security-Policy]
Starting [Vulnerabilities]
Starting [Fuzzing]
Starting [Contributors]
Starting [Dangerous-Workflow]
Starting [Maintained]
Starting [CI-Tests]
Finished [Vulnerabilities]
Finished [Fuzzing]
Finished [Contributors]
Finished [Dangerous-Workflow]
Finished [Maintained]
Finished [CI-Tests]
Finished [Signed-Releases]
Finished [License]
Finished [Code-Review]
Finished [Packaging]
Finished [Token-Permissions]
Finished [CII-Best-Practices]
Finished [Dependency-Update-Tool]
Finished [Branch-Protection]
Finished [Binary-Artifacts]
Finished [Pinned-Dependencies]
Finished [SAST]
Finished [Security-Policy]
RESULTS
-------
Aggregate score: 4.0 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: ericsson, | |
| | | score normalized to 10 | nephio-project, onap | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10 | Maintained | 3 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 2 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: containerImage not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | models-sim/packages/models-simulator-docker/src/main/docker/Dockerfile:24 | |
| | | to 0 | Warn: containerImage not pinned by hash: | |
| | | | models-sim/packages/models-simulator-docker/src/main/docker/Dockerfile:29 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | models-sim/packages/models-simulator-docker/src/main/docker/suse.Dockerfile:22 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | models-sim/packages/models-simulator-docker/src/main/docker/suse.Dockerfile:27: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | models-sim/policy-models-sim-pdp/src/main/package/docker/Dockerfile:26 Info: 0 out of | |
| | | | 5 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/common
Starting [SAST]
Starting [Binary-Artifacts]
Starting [License]
Starting [Contributors]
Starting [Pinned-Dependencies]
Starting [Branch-Protection]
Starting [Packaging]
Starting [Signed-Releases]
Starting [Fuzzing]
Starting [Dependency-Update-Tool]
Starting [CII-Best-Practices]
Starting [Vulnerabilities]
Starting [Dangerous-Workflow]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Code-Review]
Starting [CI-Tests]
Starting [Maintained]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [Code-Review]
Finished [CI-Tests]
Finished [Maintained]
Finished [SAST]
Finished [Binary-Artifacts]
Finished [License]
Finished [Contributors]
Finished [Pinned-Dependencies]
Finished [Branch-Protection]
Finished [Packaging]
Finished [Signed-Releases]
Finished [Fuzzing]
Finished [Dependency-Update-Tool]
Finished [CII-Best-Practices]
Finished [Vulnerabilities]
Finished [Dangerous-Workflow]
RESULTS
-------
Aggregate score: 4.4 / 10
Check scores:
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: ericsson, | |
| | | score normalized to 10 | nephio-project, onap | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Pinned-Dependencies | no dependencies found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/docker
Starting [Vulnerabilities]
Starting [Signed-Releases]
Starting [Dangerous-Workflow]
Starting [Security-Policy]
Starting [License]
Starting [CII-Best-Practices]
Starting [Binary-Artifacts]
Starting [Token-Permissions]
Starting [SAST]
Starting [Maintained]
Starting [Contributors]
Starting [Dependency-Update-Tool]
Starting [CI-Tests]
Starting [Code-Review]
Starting [Pinned-Dependencies]
Starting [Packaging]
Starting [Fuzzing]
Starting [Branch-Protection]
Finished [Pinned-Dependencies]
Finished [Packaging]
Finished [Fuzzing]
Finished [Branch-Protection]
Finished [Vulnerabilities]
Finished [Signed-Releases]
Finished [Dangerous-Workflow]
Finished [Security-Policy]
Finished [License]
Finished [CII-Best-Practices]
Finished [Binary-Artifacts]
Finished [Token-Permissions]
Finished [SAST]
Finished [Maintained]
Finished [Contributors]
Finished [Dependency-Update-Tool]
Finished [CI-Tests]
Finished [Code-Review]
RESULTS
-------
Aggregate score: 4.8 / 10
Check scores:
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 5 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations | from: ericsson, ericsson | |
| | | | software technology, | |
| | | | nephio-project, onap, sidero | |
| | | | ltd | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 16 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: containerImage not pinned by hash: csit/resources/Dockerfile:1: pin your | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | Docker image by updating nexus3.onap.org:10001/library/python:3.13-slim-bullseye to | |
| | | to 0 | nexus3.onap.org:10001/library/python:3.13-slim-bullseye@sha256:e98b521460ee75bca92175c16247bdf7275637a8faaeb2bcfa19d879ae5c4b9a | |
| | | | Warn: containerImage not pinned by hash: policy-db-migrator/src/main/docker/Dockerfile:21 Warn: containerImage not pinned | |
| | | | by hash: policy-db-migrator/src/main/docker/suse.Dockerfile:21: pin your Docker image by updating opensuse/leap:15.4 | |
| | | | to opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Warn: containerImage | |
| | | | not pinned by hash: policy-jdk/alpine/src/main/docker/Dockerfile:21: pin your Docker image by updating alpine:3.20.3 | |
| | | | to alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a Warn: containerImage not | |
| | | | pinned by hash: policy-jre/alpine/src/main/docker/Dockerfile:21: pin your Docker image by updating alpine:3.20.3 to | |
| | | | alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a Info: 0 out of 5 containerImage | |
| | | | dependencies pinned | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/api
Starting [Dangerous-Workflow]
Starting [Packaging]
Starting [Maintained]
Starting [SAST]
Starting [Signed-Releases]
Starting [Vulnerabilities]
Starting [Contributors]
Starting [Security-Policy]
Starting [Dependency-Update-Tool]
Starting [Pinned-Dependencies]
Starting [Fuzzing]
Starting [Code-Review]
Starting [Binary-Artifacts]
Starting [CI-Tests]
Starting [CII-Best-Practices]
Starting [Branch-Protection]
Starting [Token-Permissions]
Starting [License]
Aggregate score: 4.4 / 10
Check scores:
Finished [Signed-Releases]
Finished [Vulnerabilities]
Finished [Contributors]
Finished [Security-Policy]
Finished [Dependency-Update-Tool]
Finished [Pinned-Dependencies]
Finished [Fuzzing]
Finished [Code-Review]
Finished [Binary-Artifacts]
Finished [CI-Tests]
Finished [CII-Best-Practices]
Finished [Branch-Protection]
Finished [Token-Permissions]
Finished [License]
Finished [Dangerous-Workflow]
Finished [Packaging]
Finished [Maintained]
Finished [SAST]
RESULTS
-------
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: ericsson, | |
| | | score normalized to 10 | nephio-project, onap | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/gerrit-policy-api-performance.yaml:75: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/onap/policy-api/gerrit-policy-api-performance.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-policy-api-performance.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-api/gerrit-policy-api-performance.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-policy-api-performance.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-api/gerrit-policy-api-performance.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-policy-api-stability.yaml:75: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-api/gerrit-policy-api-stability.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-policy-api-stability.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-api/gerrit-policy-api-stability.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-policy-api-stability.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-api/gerrit-policy-api-stability.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: packages/policy-api-docker/src/main/docker/Dockerfile:24 | |
| | | | Warn: containerImage not pinned by hash: packages/policy-api-docker/src/main/docker/Dockerfile:29 | |
| | | | Warn: containerImage not pinned by hash: packages/policy-api-docker/src/main/docker/suse.Dockerfile:22 | |
| | | | Warn: containerImage not pinned by hash: packages/policy-api-docker/src/main/docker/suse.Dockerfile:27: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Info: 0 out of 6 | |
| | | | GitHub-owned GitHubAction dependencies pinned Info: 0 out of 4 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/gerrit-policy-api-performance.yaml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-policy-api-stability.yaml:1 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/pap
Starting [Token-Permissions]
Starting [CII-Best-Practices]
Starting [Dependency-Update-Tool]
Starting [Signed-Releases]
Starting [Maintained]
Starting [Vulnerabilities]
Starting [Dangerous-Workflow]
Starting [Pinned-Dependencies]
Starting [License]
Starting [SAST]
Starting [Branch-Protection]
Starting [Security-Policy]
Starting [Code-Review]
Starting [Packaging]
Starting [Binary-Artifacts]
Starting [Contributors]
Starting [CI-Tests]
Starting [Fuzzing]
Finished [Pinned-Dependencies]
Finished [License]
Finished [SAST]
Finished [Branch-Protection]
Finished [Security-Policy]
Finished [Code-Review]
Finished [Packaging]
Finished [Binary-Artifacts]
Finished [Contributors]
Finished [CI-Tests]
Finished [Fuzzing]
Finished [Token-Permissions]
Finished [CII-Best-Practices]
Finished [Dependency-Update-Tool]
Finished [Signed-Releases]
Finished [Maintained]
Finished [Vulnerabilities]
Finished [Dangerous-Workflow]
RESULTS
-------
Aggregate score: 4.4 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: ericsson, | |
| | | score normalized to 10 | nephio-project, onap | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/gerrit-pap-performance-test.yaml:75: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/onap/policy-pap/gerrit-pap-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-pap-performance-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-pap/gerrit-pap-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-pap-performance-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-pap/gerrit-pap-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-pap-stability-test.yaml:75: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-pap/gerrit-pap-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-pap-stability-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-pap/gerrit-pap-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-pap-stability-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-pap/gerrit-pap-stability-test.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: packages/policy-pap-docker/src/main/docker/Dockerfile:24 | |
| | | | Warn: containerImage not pinned by hash: packages/policy-pap-docker/src/main/docker/Dockerfile:29 | |
| | | | Warn: containerImage not pinned by hash: packages/policy-pap-docker/src/main/docker/suse.Dockerfile:22 | |
| | | | Warn: containerImage not pinned by hash: packages/policy-pap-docker/src/main/docker/suse.Dockerfile:27: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 Info: 0 out of | |
| | | | 6 GitHub-owned GitHubAction dependencies pinned Info: 0 out of 4 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/gerrit-pap-performance-test.yaml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-pap-stability-test.yaml:1 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/apex-pdp
Starting [Signed-Releases]
Starting [Packaging]
Starting [Maintained]
Starting [License]
Starting [Branch-Protection]
Starting [CI-Tests]
Starting [SAST]
Starting [Fuzzing]
Starting [Contributors]
Starting [Code-Review]
Starting [Token-Permissions]
Starting [Pinned-Dependencies]
Starting [Dangerous-Workflow]
Starting [Vulnerabilities]
Starting [CII-Best-Practices]
Starting [Binary-Artifacts]
Starting [Dependency-Update-Tool]
Starting [Security-Policy]
Aggregate score: 4.3 / 10
Check scores:
Finished [Pinned-Dependencies]
Finished [Dangerous-Workflow]
Finished [Vulnerabilities]
Finished [CII-Best-Practices]
Finished [Binary-Artifacts]
Finished [Dependency-Update-Tool]
Finished [Security-Policy]
Finished [Signed-Releases]
Finished [Packaging]
Finished [Maintained]
Finished [License]
Finished [Branch-Protection]
Finished [CI-Tests]
Finished [SAST]
Finished [Fuzzing]
Finished [Contributors]
Finished [Code-Review]
Finished [Token-Permissions]
RESULTS
-------
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 4 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations | from: bell canada, ericsson, | |
| | | | nephio-project, onap | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10 | Maintained | 3 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 2 | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Info: Possibly incomplete results: error parsing shell code: case statement must end with "esac": testsuites/run-s3p-test.sh:0 | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gerrit-apex-performance-test.yaml:75: update your workflow | |
| | | to 0 | using https://app.stepsecurity.io/secureworkflow/onap/policy-apex-pdp/gerrit-apex-performance-test.yaml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/gerrit-apex-performance-test.yaml:82: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/onap/policy-apex-pdp/gerrit-apex-performance-test.yaml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/gerrit-apex-performance-test.yaml:88: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/onap/policy-apex-pdp/gerrit-apex-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/gerrit-apex-stability-test.yaml:75: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/onap/policy-apex-pdp/gerrit-apex-stability-test.yaml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/gerrit-apex-stability-test.yaml:82: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/onap/policy-apex-pdp/gerrit-apex-stability-test.yaml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/gerrit-apex-stability-test.yaml:88: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/onap/policy-apex-pdp/gerrit-apex-stability-test.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: packages/apex-pdp-docker/src/main/docker/Dockerfile:23 Warn: | |
| | | | containerImage not pinned by hash: packages/apex-pdp-docker/src/main/docker/Dockerfile:28 Warn: containerImage | |
| | | | not pinned by hash: packages/apex-pdp-docker/src/main/docker/suse.Dockerfile:21 Warn: containerImage not | |
| | | | pinned by hash: packages/apex-pdp-docker/src/main/docker/suse.Dockerfile:26: pin your Docker image by updating | |
| | | | opensuse/leap:15.4 to opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/MyFirstPolicy/1/MyFirstPolicyFile2StdoutJsonEvent.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/MyFirstPolicy/1/MyFirstPolicyStdin2StdoutJsonEvent.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/MyFirstPolicy/2/MyFirstPolicyFile2StdoutJsonEvent.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/MyFirstPolicy/2/MyFirstPolicyStdin2StdoutJsonEvent.Dockerfile:26 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/SampleDomain/File2StdoutJsonEventJavascript.Dockerfile:25 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/SampleDomain/File2StdoutJsonEventMvel.Dockerfile:25 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/SampleDomain/Stdin2StdoutJsonEventJavascript.Dockerfile:25 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/apex-pdp-package-full/src/main/package/examples/docker/SampleDomain/Stdin2StdoutJsonEventMvel.Dockerfile:25 Info: 0 | |
| | | | out of 6 GitHub-owned GitHubAction dependencies pinned Info: 0 out of 12 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/gerrit-apex-performance-test.yaml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-apex-stability-test.yaml:1 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/xacml-pdp
Starting [Branch-Protection]
Starting [Code-Review]
Starting [Vulnerabilities]
Starting [Token-Permissions]
Starting [Dangerous-Workflow]
Starting [CI-Tests]
Starting [Fuzzing]
Starting [Contributors]
Starting [Security-Policy]
Starting [SAST]
Starting [Signed-Releases]
Starting [CII-Best-Practices]
Starting [Binary-Artifacts]
Starting [License]
Starting [Dependency-Update-Tool]
Starting [Packaging]
Starting [Pinned-Dependencies]
Starting [Maintained]
Aggregate score: 4.4 / 10
Check scores:
Finished [Token-Permissions]
Finished [Dangerous-Workflow]
Finished [CI-Tests]
Finished [Fuzzing]
Finished [Contributors]
Finished [Security-Policy]
Finished [SAST]
Finished [Signed-Releases]
Finished [CII-Best-Practices]
Finished [Binary-Artifacts]
Finished [License]
Finished [Dependency-Update-Tool]
Finished [Packaging]
Finished [Pinned-Dependencies]
Finished [Maintained]
Finished [Branch-Protection]
Finished [Code-Review]
Finished [Vulnerabilities]
RESULTS
-------
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: ericsson, | |
| | | score normalized to 10 | nephio-project, onap | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Info: Possibly incomplete results: error parsing shell code: case statement must end | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | with "esac": testsuites/run-s3p-test.sh:0 Warn: GitHub-owned GitHubAction not pinned by | |
| | | to 0 | hash: .github/workflows/gerrit-xacml-performance-test.yaml:75: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-xacml-pdp/gerrit-xacml-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-xacml-performance-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-xacml-pdp/gerrit-xacml-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-xacml-performance-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-xacml-pdp/gerrit-xacml-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-xacml-stability-test.yaml:75: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-xacml-pdp/gerrit-xacml-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-xacml-stability-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-xacml-pdp/gerrit-xacml-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-xacml-stability-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-xacml-pdp/gerrit-xacml-stability-test.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: packages/policy-xacmlpdp-docker/src/main/docker/Dockerfile:23 Warn: | |
| | | | containerImage not pinned by hash: packages/policy-xacmlpdp-docker/src/main/docker/Dockerfile:28 Warn: containerImage | |
| | | | not pinned by hash: packages/policy-xacmlpdp-docker/src/main/docker/suse.Dockerfile:22 Warn: containerImage not | |
| | | | pinned by hash: packages/policy-xacmlpdp-docker/src/main/docker/suse.Dockerfile:27: pin your Docker image by updating | |
| | | | opensuse/leap:15.4 to opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 | |
| | | | Warn: containerImage not pinned by hash: tutorials/tutorial-xacml-application/src/main/docker/Dockerfile:3 Info: 0 | |
| | | | out of 6 GitHub-owned GitHubAction dependencies pinned Info: 0 out of 5 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/gerrit-xacml-performance-test.yaml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-xacml-stability-test.yaml:1 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/opa-pdp
Starting [Branch-Protection]
Starting [Vulnerabilities]
Starting [Maintained]
Starting [Token-Permissions]
Starting [Contributors]
Starting [CI-Tests]
Starting [CII-Best-Practices]
Starting [Dependency-Update-Tool]
Starting [License]
Starting [Binary-Artifacts]
Starting [Signed-Releases]
Starting [Security-Policy]
Starting [Code-Review]
Starting [Fuzzing]
Starting [Packaging]
Starting [Pinned-Dependencies]
Starting [SAST]
Starting [Dangerous-Workflow]
Finished [Dangerous-Workflow]
Finished [Branch-Protection]
Finished [Vulnerabilities]
Finished [Maintained]
Finished [Token-Permissions]
Finished [Contributors]
Finished [CI-Tests]
Finished [CII-Best-Practices]
Finished [Dependency-Update-Tool]
Finished [License]
Finished [Binary-Artifacts]
Finished [Signed-Releases]
Finished [Security-Policy]
Finished [Code-Review]
Finished [Fuzzing]
Finished [Packaging]
Finished [Pinned-Dependencies]
Finished [SAST]
RESULTS
-------
Aggregate score: 3.5 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Contributors | project has 1 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: linux foundation | |
| | | score normalized to 3 | modeseven | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | License | license file not detected | Warn: project does not have a | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | license file | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/gerrit-opa-performance-test.yaml:79: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/onap/policy-opa-pdp/gerrit-opa-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-opa-performance-test.yaml:86: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-opa-pdp/gerrit-opa-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-opa-performance-test.yaml:92: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-opa-pdp/gerrit-opa-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-opa-stability-test.yaml:79: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-opa-pdp/gerrit-opa-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-opa-stability-test.yaml:86: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-opa-pdp/gerrit-opa-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-opa-stability-test.yaml:92: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-opa-pdp/gerrit-opa-stability-test.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: Dockerfile:19 Warn: containerImage not pinned by hash: Dockerfile:24 | |
| | | | Warn: containerImage not pinned by hash: Dockerfile:56: pin your Docker image by updating ubuntu:24.04 to | |
| | | | ubuntu:24.04@sha256:353675e2a41babd526e2b837d7ec780c2a05bca0164f7ea5dbbd433d21d166fc Info: 0 out of 6 | |
| | | | GitHub-owned GitHubAction dependencies pinned Info: 0 out of 3 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: jobLevel 'security-events' permission set to | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | 'write': .github/workflows/security-audits.yaml:43 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-opa-performance-test.yaml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-opa-stability-test.yaml:1 | |
| | | | Info: found token with 'none' permissions: | |
| | | | .github/workflows/security-audits.yaml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10 | Vulnerabilities | 5 existing vulnerabilities | Warn: Project is vulnerable | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | to: GO-2025-3528 / | |
| | | | GHSA-265r-hfxg-fhmg Warn: | |
| | | | Project is vulnerable | |
| | | | to: GO-2025-3660 / | |
| | | | GHSA-6m8w-jc87-6cr7 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GO-2025-3487 / | |
| | | | GHSA-hcg3-q754-cr77 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GO-2025-3503 / | |
| | | | GHSA-qxp5-gwg8-xv66 Warn: | |
| | | | Project is vulnerable | |
| | | | to: GO-2025-3595 / | |
| | | | GHSA-vvgc-356p-c3xw | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|policy/drools-pdp
Starting [Code-Review]
Starting [Branch-Protection]
Starting [License]
Starting [SAST]
Starting [Binary-Artifacts]
Starting [Fuzzing]
Starting [Vulnerabilities]
Starting [Dangerous-Workflow]
Starting [CII-Best-Practices]
Starting [Contributors]
Starting [Signed-Releases]
Starting [Dependency-Update-Tool]
Starting [Maintained]
Starting [Pinned-Dependencies]
Starting [Security-Policy]
Starting [CI-Tests]
Starting [Packaging]
Starting [Token-Permissions]
Aggregate score: 4.1 / 10
Check scores:
Finished [Dependency-Update-Tool]
Finished [Maintained]
Finished [Pinned-Dependencies]
Finished [Security-Policy]
Finished [CI-Tests]
Finished [Packaging]
Finished [Token-Permissions]
Finished [Code-Review]
Finished [Branch-Protection]
Finished [License]
Finished [SAST]
Finished [Binary-Artifacts]
Finished [Fuzzing]
Finished [Vulnerabilities]
Finished [Dangerous-Workflow]
Finished [CII-Best-Practices]
Finished [Contributors]
Finished [Signed-Releases]
RESULTS
-------
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations -- | from: ericsson, | |
| | | score normalized to 10 | nephio-project, onap | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: containerImage not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | packages/docker/src/main/docker/Dockerfile:22 Warn: containerImage not | |
| | | to 0 | pinned by hash: packages/docker/src/main/docker/suse.Dockerfile:21: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 | |
| | | | Warn: pipCommand not pinned by hash: packages/docker/src/main/docker/suse.Dockerfile:54-71 | |
| | | | Warn: pipCommand not pinned by hash: packages/docker/src/main/docker/suse.Dockerfile:54-71 | |
| | | | Info: 0 out of 2 containerImage dependencies pinned Info: 0 out of 2 pipCommand | |
| | | | dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/drools-applications
Starting [Packaging]
Starting [Branch-Protection]
Starting [Token-Permissions]
Starting [Maintained]
Starting [Security-Policy]
Starting [Dependency-Update-Tool]
Starting [CI-Tests]
Starting [Dangerous-Workflow]
Starting [Pinned-Dependencies]
Starting [Binary-Artifacts]
Starting [Contributors]
Starting [Vulnerabilities]
Starting [License]
Starting [CII-Best-Practices]
Starting [Signed-Releases]
Starting [Code-Review]
Starting [Fuzzing]
Starting [SAST]
Finished [Dependency-Update-Tool]
Finished [CI-Tests]
Finished [Dangerous-Workflow]
Finished [Pinned-Dependencies]
Finished [Binary-Artifacts]
Finished [Contributors]
Finished [Vulnerabilities]
Finished [License]
Finished [CII-Best-Practices]
Finished [Signed-Releases]
Finished [Code-Review]
Finished [Fuzzing]
Finished [SAST]
Finished [Packaging]
Finished [Branch-Protection]
Finished [Token-Permissions]
Finished [Maintained]
Finished [Security-Policy]
RESULTS
-------
Aggregate score: 4.4 / 10
Check scores:
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 4 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations | from: ericsson, huawei, | |
| | | | nephio-project, onap | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Maintained | 4 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 3 | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/gerrit-drools-performance-test.yaml:75: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/onap/policy-drools-applications/gerrit-drools-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-drools-performance-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-drools-applications/gerrit-drools-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-drools-performance-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-drools-applications/gerrit-drools-performance-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-drools-stability-test.yaml:75: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-drools-applications/gerrit-drools-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-drools-stability-test.yaml:82: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-drools-applications/gerrit-drools-stability-test.yaml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/gerrit-drools-stability-test.yaml:88: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/onap/policy-drools-applications/gerrit-drools-stability-test.yaml/master?enable=pin | |
| | | | Warn: containerImage not pinned by hash: controlloop/packages/docker-controlloop/src/main/docker/Dockerfile:23 Info: 0 out of | |
| | | | 6 GitHub-owned GitHubAction dependencies pinned Info: 0 out of 1 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/gerrit-drools-performance-test.yaml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/gerrit-drools-stability-test.yaml:1 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
policy/distribution
Starting [CII-Best-Practices]
Starting [Token-Permissions]
Starting [Dangerous-Workflow]
Starting [Pinned-Dependencies]
Starting [Binary-Artifacts]
Starting [License]
Starting [Contributors]
Starting [Branch-Protection]
Starting [Vulnerabilities]
Starting [Code-Review]
Starting [Fuzzing]
Starting [SAST]
Starting [Packaging]
Starting [Maintained]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [CI-Tests]
Starting [Dependency-Update-Tool]
Finished [CI-Tests]
Aggregate score: 2.8 / 10
Check scores:
Finished [Dependency-Update-Tool]
Finished [CII-Best-Practices]
Finished [Token-Permissions]
Finished [Dangerous-Workflow]
Finished [Pinned-Dependencies]
Finished [Binary-Artifacts]
Finished [License]
Finished [Contributors]
Finished [Branch-Protection]
Finished [Vulnerabilities]
Finished [Code-Review]
Finished [Fuzzing]
Finished [SAST]
Finished [Packaging]
Finished [Maintained]
Finished [Security-Policy]
Finished [Signed-Releases]
RESULTS
-------
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Code-Review | Found 0/30 approved changesets | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#code-review |
| | | -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 4 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#contributors |
| | | companies or organizations | from: ericsson, intel, | |
| | | | nephio-project, onap | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | Warn: no dependency update | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#dependency-update-tool |
| | | | tool configurations found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#license |
| | | | file: LICENSE.txt:0 Warn: | |
| | | | project license file does not | |
| | | | contain an FSF or OSI license. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Maintained | 2 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: containerImage not pinned by hash: | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | packages/policy-distribution-docker/src/main/docker/Dockerfile:23 Warn: containerImage | |
| | | to 0 | not pinned by hash: packages/policy-distribution-docker/src/main/docker/Dockerfile:28 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-distribution-docker/src/main/docker/suse.Dockerfile:22 | |
| | | | Warn: containerImage not pinned by hash: | |
| | | | packages/policy-distribution-docker/src/main/docker/suse.Dockerfile:27: | |
| | | | pin your Docker image by updating opensuse/leap:15.4 to | |
| | | | opensuse/leap:15.4@sha256:6b5d2aaf5dd15233269c9dc0de9a9e1c9585e46cdf9aaaaaeac1acb3091a3a74 | |
| | | | Info: 0 out of 4 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | Warn: no pull requests merged | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#sast |
| | | | into dev branch | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | No tokens found | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
Useful links
Guide to checks:
https://github.com/ossf/scorecard/blob/main/docs/beginner-checks.md
What checks are performed:
https://github.com/ossf/scorecard?tab=readme-ov-file#scorecard-checks