fohrloop/wakepy

dev.deps score

Opened this issue · 0 comments

fohrloop commented

Check if it's possible to improve the score at https://deps.dev/project/github/np-8%2Fwakepy (check if link correct after 0.8.0 release)

The dev.deps score card as of June 10th, with wakepy 0.9.1:

image

What could be improved

Code-Review 0/10

Determines if the project requires human code review before pull requests (aka merge requests) are merged.
REASONING
Found 0/30 approved changesets -- score normalized to 0

CII-Best-Practices 0/10

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.
REASONING
no effort to earn an OpenSSF best practices badge detected

Signed-Releases 8/10

Determines if the project cryptographically signs release artifacts.
REASONING
4 out of the last 4 releases have a total of 4 signed artifacts.

details 
Info: signed release artifact: wakepy-0.9.1-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/171781020
Info: signed release artifact: wakepy-0.9.0.post1-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/171304548
Info: signed release artifact: wakepy-0.9.0-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/171019354
Info: signed release artifact: wakepy-0.8.0-py3-none-any.whl.sigstore: https://api.github.com/repos/fohrloop/wakepy/releases/assets/170194995
Warn: release artifact v0.9.1 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/158731098
Warn: release artifact v0.9.0.post1 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/158448965
Warn: release artifact v0.9.0 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/158250603
Warn: release artifact v0.8.0 does not have provenance: https://api.github.com/repos/fohrloop/wakepy/releases/157525888

Token-Permissions 0/10

Determines if the project's workflows follow the principle of least privilege.
REASONING
detected GitHub workflow tokens with excessive permissions

details 
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:154
Info: topLevel 'security-events' permission set to 'read': .github/workflows/build-and-run-tests.yml:158
Warn: topLevel 'actions' permission set to 'write': .github/workflows/build-and-run-tests.yml:147
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:151
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:152
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:153
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:156
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:157
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:159
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:148
Info: topLevel 'contents' permission set to 'read': .github/workflows/build-and-run-tests.yml:149
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:150
Info: found token with 'none' permissions: .github/workflows/build-and-run-tests.yml:155
Warn: no topLevel permission defined: .github/workflows/publish-a-release.yml:1
Info: no jobLevel write permissions found

Pinned-Dependencies 4/10

Determines if the project has declared and pinned the dependencies of its build process.
REASONING
dependency not pinned by hash detected -- score normalized to 4

details 
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-and-run-tests.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/build-and-run-tests.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-a-release.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/fohrloop/wakepy/publish-a-release.yml/main?enable=pin
Warn: pipCommand not pinned by hash: .github/workflows/build-and-run-tests.yml:85
Info: 4 out of 14 GitHub-owned GitHubAction dependencies pinned
Info: 2 out of 2 third-party GitHubAction dependencies pinned
Info: 0 out of 1 pipCommand dependencies pinned

Fuzzing 0/10

Determines if the project uses fuzzing.
REASONING
project is not fuzzed

details 
Warn: no fuzzer integrations found

Security-Policy 0/10

Determines if the project has published a security policy.
REASONING
security policy file not detected

details 
Warn: no security policy file detected
Warn: no security file to analyze
Warn: no security file to analyze
Warn: no security file to analyze

SAST 0/10

Determines if the project uses static code analysis.
REASONING
SAST tool is not run on all commits -- score normalized to 0

details 
Warn: 0 commits out of 29 are checked with a SAST tool