Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / RustPython / RustPython

A Python Interpreter written in Rust

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RustPython%2FRustPython
PURL: pkg:github/RustPython/RustPython

Stars: 20,752
Forks: 1,358
Open issues: 443

License: mit
Language: Rust
Size: 71 MB
Dependencies parsed at: Pending

Created at: over 7 years ago
Updated at: 6 days ago
Pushed at: 6 days ago
Last synced at: 6 days ago

Commit Stats

Commits: 10340
Authors: 434
Mean commits per author: 23.82
Development Distribution Score: 0.818
More commit stats: https://commits.ecosyste.ms/hosts/GitHub/repositories/RustPython/RustPython

Topics: compiler, hacktoberfest, interpreter, jit, language, python-language, python3, rust, wasm

OpenSSF Scorecard report

4.4

Overall Score

10/10 Critical Risk
30/60 High Risk
0/40 Medium Risk
10/20 Low Risk
Generated on August 11, 2025 | Scorecard vv5.2.1-40-gf6ed084d
Security Checks
10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE:0
ℹ️ Info: FSF or OSI recognized license: MIT License: LICENSE:0
10/10
Maintained
High Risk

30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

8/10
Code-Review
High Risk

Found 21/25 approved changesets -- score normalized to 8

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

7/10
Binary-Artifacts
High Risk

binaries present in source code

Determines if the project has generated executable (binary) artifacts in the source repository.

Show details
⚠️ Warn: binary detected: Lib/ensurepip/_bundled/pip-23.2.1-py3-none-any.whl:1
⚠️ Warn: binary detected: Lib/test/test_importlib/data/example-21.12-py3-none-any.whl:1
⚠️ Warn: binary detected: Lib/test/test_importlib/data/example2-1.0.0-py3-none-any.whl:1
5/10
Vulnerabilities
High Risk

5 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

Show details
⚠️ Warn: Project is vulnerable to: RUSTSEC-2024-0436
⚠️ Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
⚠️ Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q
⚠️ Warn: Project is vulnerable to: PYSEC-2022-43167
⚠️ Warn: Project is vulnerable to: PYSEC-2023-206
0/10
CII-Best-Practices
Low Risk

no effort to earn an OpenSSF best practices badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Fuzzing
Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details
⚠️ Warn: no fuzzer integrations found
0/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 0

Determines if the project has declared and pinned the dependencies of its build process.

Show details
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid UTF-8 encoding: Lib/test/archivetestdata/exe_with_z64:0
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid UTF-8 encoding: Lib/test/archivetestdata/exe_with_zip:0
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid UTF-8 encoding: Lib/test/ziptestdata/exe_with_z64:0
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid UTF-8 encoding: Lib/test/ziptestdata/exe_with_zip:0
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:376: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:377: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:379: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:387: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:392: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:404: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:424: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:437: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:438: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:442: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:444: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:126: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:167: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:181: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:182: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:207: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:214: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:221: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:249: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:250: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:251: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:270: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:313: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:314: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:321: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:341: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yaml:354: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:356: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yaml:361: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/cron-ci.yaml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/cron-ci.yaml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:112: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:142: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/RustPython/RustPython/release.yml/main?enable=pin
⚠️ Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:1: pin your Docker image by updating mcr.microsoft.com/vscode/devcontainers/rust:1-bullseye to mcr.microsoft.com/vscode/devcontainers/rust:1-bullseye@sha256:6817e2f836956c5034933e52f305b6c1112b628d3fbad0e87f472a2839ad5fe0
⚠️ Warn: containerImage not pinned by hash: .gitpod.Dockerfile:1: pin your Docker image by updating gitpod/workspace-full to gitpod/workspace-full@sha256:b1195dfae7ee9a12a89d195247c3e1357cc6a18360a41473dbec67525ef434e2
⚠️ Warn: containerImage not pinned by hash: Dockerfile.bin:1
⚠️ Warn: containerImage not pinned by hash: Dockerfile.bin:9: pin your Docker image by updating debian:stable-slim to debian:stable-slim@sha256:377ddc2a20fe8632a49b69dcfff10fccbd5b4f0b8c2d593420a6a5e03070dfa1
⚠️ Warn: containerImage not pinned by hash: Dockerfile.wasm:1
⚠️ Warn: containerImage not pinned by hash: Dockerfile.wasm:17
⚠️ Warn: containerImage not pinned by hash: Dockerfile.wasm:28: pin your Docker image by updating nginx:alpine to nginx:alpine@sha256:d67ea0d64d518b1bb04acde3b00f722ac3e9764b3209a9b0a98924ba35e4b779
⚠️ Warn: downloadThenRun not pinned by hash: .gitpod.Dockerfile:6-12
⚠️ Warn: downloadThenRun not pinned by hash: Dockerfile.wasm:9-10
⚠️ Warn: npmCommand not pinned by hash: Dockerfile.wasm:25
⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/ci.yaml:382
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/ci.yaml:391
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:399
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:416
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/ci.yaml:275
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/ci.yaml:326
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/ci.yaml:340
⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/release.yml:111
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/release.yml:116
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/release.yml:123
ℹ️ Info: 0 out of 25 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 0 out of 34 third-party GitHubAction dependencies pinned
ℹ️ Info: 0 out of 7 containerImage dependencies pinned
ℹ️ Info: 0 out of 4 downloadThenRun dependencies pinned
ℹ️ Info: 0 out of 6 npmCommand dependencies pinned
ℹ️ Info: 0 out of 3 pipCommand dependencies pinned
0/10
SAST
Medium Risk

SAST tool is not run on all commits -- score normalized to 0

Determines if the project uses static code analysis.

Show details
⚠️ Warn: 0 commits out of 30 are checked with a SAST tool
0/10
Security-Policy
Medium Risk

security policy file not detected

Determines if the project has published a security policy.

Show details
⚠️ Warn: no security policy file detected
⚠️ Warn: no security file to analyze
⚠️ Warn: no security file to analyze
⚠️ Warn: no security file to analyze
0/10
Signed-Releases
High Risk

Project has not signed or included provenance with any releases.

Determines if the project cryptographically signs release artifacts.

Show details
⚠️ Warn: release artifact 2025-08-11-main-42 not signed: https://api.github.com/repos/RustPython/RustPython/releases/238948621
⚠️ Warn: release artifact 2025-08-04-main-41 not signed: https://api.github.com/repos/RustPython/RustPython/releases/237282796
⚠️ Warn: release artifact 2025-07-28-main-40 not signed: https://api.github.com/repos/RustPython/RustPython/releases/235575233
⚠️ Warn: release artifact 2025-07-21-main-39 not signed: https://api.github.com/repos/RustPython/RustPython/releases/233849104
⚠️ Warn: release artifact 2025-07-14-main-38 not signed: https://api.github.com/repos/RustPython/RustPython/releases/232163327
⚠️ Warn: release artifact 2025-08-11-main-42 does not have provenance: https://api.github.com/repos/RustPython/RustPython/releases/238948621
⚠️ Warn: release artifact 2025-08-04-main-41 does not have provenance: https://api.github.com/repos/RustPython/RustPython/releases/237282796
⚠️ Warn: release artifact 2025-07-28-main-40 does not have provenance: https://api.github.com/repos/RustPython/RustPython/releases/235575233
⚠️ Warn: release artifact 2025-07-21-main-39 does not have provenance: https://api.github.com/repos/RustPython/RustPython/releases/233849104
⚠️ Warn: release artifact 2025-07-14-main-38 does not have provenance: https://api.github.com/repos/RustPython/RustPython/releases/232163327
0/10
Token-Permissions
High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details
⚠️ Warn: no topLevel permission defined: .github/workflows/ci.yaml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/comment-commands.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/cron-ci.yaml:1
⚠️ Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:16
ℹ️ Info: no jobLevel write permissions found
N/A
Branch-Protection
Not Applicable

internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration

Determines if the default and release branches are protected with GitHub's branch protection settings.

N/A
Packaging
Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
⚠️ Warn: no GitHub/GitLab publishing workflow detected.