Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dev.deps score #291

Open
fohrloop opened this issue May 25, 2024 · 0 comments
Open

dev.deps score #291

fohrloop opened this issue May 25, 2024 · 0 comments
Labels
good first issue Good for newcomers Type: Maintenance Code quality, updating dependencies, pipelines, ...

Comments

@fohrloop
Copy link
Owner

fohrloop commented May 25, 2024
edited
Loading

Check if it's possible to improve the score at https://deps.dev/project/github/np-8%2Fwakepy (check if link correct after 0.8.0 release)

The dev.deps score card as of June 10th, with wakepy 0.9.1:

image

What could be improved

Code-Review 0/10

Determines if the project requires human code review before pull requests (aka merge requests) are merged.
REASONING
Found 0/30 approved changesets -- score normalized to 0

CII-Best-Practices 0/10

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.
REASONING
no effort to earn an OpenSSF best practices badge detected

Signed-Releases 8/10

Determines if the project cryptographically signs release artifacts.
REASONING
4 out of the last 4 releases have a total of 4 signed artifacts.

details 
Info: signed release artifact: wakepy-0.9.1-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/171781020
Info: signed release artifact: wakepy-0.9.0.post1-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/171304548
Info: signed release artifact: wakepy-0.9.0-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/171019354
Info: signed release artifact: wakepy-0.8.0-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/170194995
Warn: release artifact v0.9.1 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/158731098
Warn: release artifact v0.9.0.post1 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/158448965
Warn: release artifact v0.9.0 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/158250603
Warn: release artifact v0.8.0 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/157525888

Token-Permissions 0/10

Determines if the project's workflows follow the principle of least privilege.
REASONING
detected GitHub workflow tokens with excessive permissions

details 
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:154
Info: topLevel 'security-events' permission set to 'read': .github/workflows/build-and-run-tests.yml:158
Warn: topLevel 'actions' permission set to 'write': .github/workflows/build-and-run-tests.yml:147
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:151
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:152
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:153
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:156
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:157
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:159
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:148
Info: topLevel 'contents' permission set to 'read': .github/workflows/build-and-run-tests.yml:149
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:150
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:155
Warn: no topLevel permission defined: .github/workflows/publish-a-release.yml:1
Info: no jobLevel write permissions found

Pinned-Dependencies 4/10

Determines if the project has declared and pinned the dependencies of its build process.
REASONING
dependency not pinned by hash detected -- score normalized to 4

details 
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: pipCommand not pinned by hash: .github/workflows/build-and-run-tests.yml:85
Info: 4 out of 14 GitHub-owned GitHubAction dependencies pinned
Info: 2 out of 2 third-party GitHubAction dependencies pinned
Info: 0 out of 1 pipCommand dependencies pinned

Fuzzing 0/10

Determines if the project uses fuzzing.
REASONING
project is not fuzzed

details 
Warn: no fuzzer integrations found

Security-Policy 0/10

Determines if the project has published a security policy.
REASONING
security policy file not detected

details 
Warn: no security policy file detected
Warn: no security file to analyze
Warn: no security file to analyze
Warn: no security file to analyze

SAST 0/10

Determines if the project uses static code analysis.
REASONING
SAST tool is not run on all commits -- score normalized to 0

details 
Warn: 0 commits out of 29 are checked with a SAST tool
@fohrloop fohrloop added the Type: Maintenance Code quality, updating dependencies, pipelines, ... label May 25, 2024
@fohrloop fohrloop added the good first issue Good for newcomers label Jun 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers Type: Maintenance Code quality, updating dependencies, pipelines, ...
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fohrloop