Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / Mailu / Mailu

Insular email distribution - mail server as Docker images

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mailu%2FMailu
PURL: pkg:github/Mailu/Mailu

Stars: 6,736
Forks: 927
Open issues: 125

License: other
Language: Python
Size: 8.56 MB
Dependencies parsed at: Pending

Created at: over 9 years ago
Updated at: 13 days ago
Pushed at: 13 days ago
Last synced at: 13 days ago

Topics: dkim, dmarc, docker, docker-compose, email, fetchmail, imap, letsencrypt, mail, mailserver, pop3, smtp, webmail

Funding Links https://funding.communitybridge.org/projects/mailu

OpenSSF Scorecard report

4.2

Overall Score

10/10 Critical Risk
22/50 High Risk
3/40 Medium Risk
9/20 Low Risk
Generated on August 11, 2025 | Scorecard vv5.2.1-40-gf6ed084d
Security Checks
10/10
Code-Review
High Risk

all changesets reviewed

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

9/10
Binary-Artifacts
High Risk

binaries present in source code

Determines if the project has generated executable (binary) artifacts in the source repository.

Show details
⚠️ Warn: binary detected: tests/compose/filters/PotentiallyUnwanted.exe_:1
9/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE.md:0
⚠️ Warn: project license file does not contain an FSF or OSI license.
3/10
Maintained
High Risk

4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3

Determines if the project is "actively maintained".

3/10
Security-Policy
Medium Risk

security policy file detected

Determines if the project has published a security policy.

Show details
ℹ️ Info: security policy file detected: SECURITY.md:1
⚠️ Warn: no linked content found
⚠️ Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
ℹ️ Info: Found text in security policy: SECURITY.md:1
0/10
CII-Best-Practices
Low Risk

no effort to earn an OpenSSF best practices badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Fuzzing
Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details
⚠️ Warn: no fuzzer integrations found
0/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 0

Determines if the project has declared and pinned the dependencies of its build process.

Show details
ℹ️ Info: Possibly incomplete results: error parsing shell code: expansions not allowed in heredoc words: .github/workflows/build_test_deploy.yml:578
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:127: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:132: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:201: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:225: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:269: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:278: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:279: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:281: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:284: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:303: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:347: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:356: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:357: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:360: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:430: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:439: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:440: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:442: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:444: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:451: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:479: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:488: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:489: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:491: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:493: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:500: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:542: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:548: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:600: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build_test_deploy.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/build_test_deploy.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/lock-closed-issues.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/lock-closed-issues.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/mirror.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/mirror.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/multiarch.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/Mailu/Mailu/multiarch.yml/master?enable=pin
⚠️ Warn: containerImage not pinned by hash: core/admin/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: core/admin/assets/Dockerfile:3: pin your Docker image by updating node:21-alpine3.18 to node:21-alpine3.18@sha256:7d4f2d7c22e5a9e08aad96880b5862eae2a38b4283443b74a991a01d59ca072b
⚠️ Warn: containerImage not pinned by hash: core/base/Dockerfile:7
⚠️ Warn: containerImage not pinned by hash: core/base/Dockerfile:27
⚠️ Warn: containerImage not pinned by hash: core/base/Dockerfile:74
⚠️ Warn: containerImage not pinned by hash: core/dovecot/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: core/nginx/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: core/nginx/Dockerfile:14
⚠️ Warn: containerImage not pinned by hash: core/none/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: core/oletools/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: core/postfix/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: core/rspamd/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: docs/Dockerfile:2
⚠️ Warn: containerImage not pinned by hash: docs/Dockerfile:28: pin your Docker image by updating nginx:1.25.5-alpine to nginx:1.25.5-alpine@sha256:516475cc129da42866742567714ddc681e5eed7b9ee0b9e9c015e464b4221a00
⚠️ Warn: containerImage not pinned by hash: optional/fetchmail/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: optional/radicale/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: optional/traefik-certdumper/Dockerfile:4: pin your Docker image by updating ldez/traefik-certs-dumper to ldez/traefik-certs-dumper@sha256:fcf105172378d14dc93d17169adf70bf75088625c2775daa5d4ce1ff42baf258
⚠️ Warn: containerImage not pinned by hash: optional/unbound/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: setup/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: webmails/Dockerfile:3
⚠️ Warn: npmCommand not pinned by hash: core/admin/assets/Dockerfile:9-18
⚠️ Warn: pipCommand not pinned by hash: core/base/Dockerfile:54-71
⚠️ Warn: pipCommand not pinned by hash: docs/Dockerfile:10-24
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/build_test_deploy.yml:456
⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/mirror.yml:35
ℹ️ Info: 0 out of 9 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 0 out of 32 third-party GitHubAction dependencies pinned
ℹ️ Info: 0 out of 1 downloadThenRun dependencies pinned
ℹ️ Info: 0 out of 20 containerImage dependencies pinned
ℹ️ Info: 0 out of 1 npmCommand dependencies pinned
ℹ️ Info: 0 out of 3 pipCommand dependencies pinned
0/10
SAST
Medium Risk

SAST tool is not run on all commits -- score normalized to 0

Determines if the project uses static code analysis.

Show details
⚠️ Warn: 0 commits out of 30 are checked with a SAST tool
0/10
Token-Permissions
High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_test_deploy.yml:114
⚠️ Warn: jobLevel 'packages' permission set to 'write': .github/workflows/build_test_deploy.yml:115
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_test_deploy.yml:189
⚠️ Warn: jobLevel 'packages' permission set to 'write': .github/workflows/build_test_deploy.yml:190
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_test_deploy.yml:266
⚠️ Warn: jobLevel 'packages' permission set to 'write': .github/workflows/build_test_deploy.yml:267
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_test_deploy.yml:344
⚠️ Warn: jobLevel 'packages' permission set to 'write': .github/workflows/build_test_deploy.yml:345
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_test_deploy.yml:414
ℹ️ Info: jobLevel 'packages' permission set to 'read': .github/workflows/build_test_deploy.yml:415
⚠️ Warn: no topLevel permission defined: .github/workflows/build_test_deploy.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/mirror.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/multiarch.yml:1
0/10
Vulnerabilities
High Risk

54 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

Show details
⚠️ Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf
⚠️ Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5
⚠️ Warn: Project is vulnerable to: PYSEC-2021-421 / GHSA-h4m5-qpfp-3mpv
⚠️ Warn: Project is vulnerable to: GHSA-3rq5-2g8h-59hc
⚠️ Warn: Project is vulnerable to: PYSEC-2018-66 / GHSA-562c-5r94-xh97
⚠️ Warn: Project is vulnerable to: PYSEC-2019-179 / GHSA-5wv5-4vpf-pj6m
⚠️ Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq
⚠️ Warn: Project is vulnerable to: PYSEC-2021-325 / GHSA-3q6g-vf58-7m4g
⚠️ Warn: Project is vulnerable to: PYSEC-2018-55 / GHSA-32pc-xphx-q4f6
⚠️ Warn: Project is vulnerable to: GHSA-hc5x-x2vx-497g
⚠️ Warn: Project is vulnerable to: GHSA-w3h3-4rj7-4ph4
⚠️ Warn: Project is vulnerable to: GHSA-jjg7-2v4v-x38h
⚠️ Warn: Project is vulnerable to: PYSEC-2018-67 / GHSA-9q2p-fj49-vpxj
⚠️ Warn: Project is vulnerable to: GHSA-2cf3-g243-hhfx
⚠️ Warn: Project is vulnerable to: GHSA-hgjp-83m4-h4fj
⚠️ Warn: Project is vulnerable to: PYSEC-2020-174 / GHSA-h92m-42h4-82f6
⚠️ Warn: Project is vulnerable to: PYSEC-2023-117 / GHSA-mrwq-x4v8-fh7p
⚠️ Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4
⚠️ Warn: Project is vulnerable to: PYSEC-2018-49 / GHSA-rprw-h62v-c2w7
⚠️ Warn: Project is vulnerable to: PYSEC-2016-37 / GHSA-6w8c-6jrg-qwj2
⚠️ Warn: Project is vulnerable to: GHSA-84cw-mxhv-qvv4
⚠️ Warn: Project is vulnerable to: PYSEC-2016-36 / GHSA-fgqv-96v9-w23m
⚠️ Warn: Project is vulnerable to: PYSEC-2017-102 / GHSA-rpv4-63g3-9x23
⚠️ Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc
⚠️ Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7
⚠️ Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56
⚠️ Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h
⚠️ Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg
⚠️ Warn: Project is vulnerable to: PYSEC-2019-124 / GHSA-38fc-9xqv-7f7q
⚠️ Warn: Project is vulnerable to: PYSEC-2019-123 / GHSA-887w-45rq-vxgf
⚠️ Warn: Project is vulnerable to: PYSEC-2012-9 / GHSA-hfg2-wf6j-x53p
⚠️ Warn: Project is vulnerable to: GHSA-2g68-c3qc-8985
⚠️ Warn: Project is vulnerable to: PYSEC-2020-157 / GHSA-3p3h-qghp-hvh2
⚠️ Warn: Project is vulnerable to: GHSA-f9vj-2wh5-fj8j
⚠️ Warn: Project is vulnerable to: PYSEC-2019-140 / GHSA-gq9m-qvpx-68hc
⚠️ Warn: Project is vulnerable to: PYSEC-2017-43 / GHSA-h2fp-xgx6-xh6f
⚠️ Warn: Project is vulnerable to: PYSEC-2023-221 / GHSA-hrfv-mqp8-q5rw
⚠️ Warn: Project is vulnerable to: GHSA-j544-7q9p-6xp8
⚠️ Warn: Project is vulnerable to: PYSEC-2023-57 / GHSA-px8h-6qxv-m22q
⚠️ Warn: Project is vulnerable to: GHSA-q34m-jh98-gwm2
⚠️ Warn: Project is vulnerable to: PYSEC-2023-58 / GHSA-xg9f-g7g7-2323
⚠️ Warn: Project is vulnerable to: PYSEC-2022-203
⚠️ Warn: Project is vulnerable to: GHSA-8495-4g3g-x7pr
⚠️ Warn: Project is vulnerable to: GHSA-9548-qrrj-x5pj
⚠️ Warn: Project is vulnerable to: PYSEC-2024-230 / GHSA-248v-346w-9cwc
⚠️ Warn: Project is vulnerable to: GHSA-79v4-65xg-pq4g
⚠️ Warn: Project is vulnerable to: GHSA-h4gh-qq45-vh27
⚠️ Warn: Project is vulnerable to: GHSA-cpwx-vrp4-4pq7
⚠️ Warn: Project is vulnerable to: GHSA-gmj6-6f8f-6699
⚠️ Warn: Project is vulnerable to: GHSA-q2x7-8rv6-6q7h
⚠️ Warn: Project is vulnerable to: GHSA-5qpg-rh4j-qp35
⚠️ Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf
⚠️ Warn: Project is vulnerable to: GHSA-48p4-8xcf-vxj5
⚠️ Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v
N/A
Branch-Protection
Not Applicable

internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Determines if the default and release branches are protected with GitHub's branch protection settings.

N/A
Packaging
Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
⚠️ Warn: no GitHub/GitLab publishing workflow detected.
N/A
Signed-Releases
Not Applicable

no releases found

Determines if the project cryptographically signs release artifacts.