Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / aws-powertools / powertools-lambda-python

A developer toolkit to implement Serverless best practices and increase developer velocity.

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aws-powertools%2Fpowertools-lambda-python
PURL: pkg:github/aws-powertools/powertools-lambda-python

Stars: 3,203
Forks: 465
Open issues: 60

License: mit-0
Language: Python
Size: 127 MB
Dependencies parsed at: Pending

Created at: about 6 years ago
Updated at: 3 days ago
Pushed at: about 22 hours ago
Last synced at: about 19 hours ago

Topics: aws, aws-lambda, lambda, python, serverless

OpenSSF Scorecard report

8.9

Overall Score

10/10 Critical Risk
65/70 High Risk
39/50 Medium Risk
35/40 Low Risk
Generated on August 16, 2025 | Scorecard vv5.2.1
Security Checks
10/10
Binary-Artifacts
High Risk

no binaries found in the repo

Determines if the project has generated executable (binary) artifacts in the source repository.

10/10
CI-Tests
Low Risk

30 out of 30 merged PRs checked by a CI test -- score normalized to 10

Determines if the project runs tests before pull requests are merged.

10/10
Code-Review
High Risk

all changesets reviewed

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10/10
Contributors
Low Risk

project has 15 contributing companies or organizations

Determines if the project has a set of contributors from multiple organizations (e.g., companies).

Show details
ℹ️ Info: found contributions from: Cloud-Architects, adyen, amazon, apollographql, aws, aws-controllers-k8s, aws-powertools, aws-samples, cyberark, db systel gmbh, gyft, javalite, jenkinsci, virtasant, zimfw
10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
Dependency-Update-Tool
High Risk

update tool detected

Determines if the project uses a dependency update tool.

Show details
ℹ️ Info: detected update tool: Dependabot: .github/dependabot.yml:1
10/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE:0
ℹ️ Info: FSF or OSI recognized license: MIT No Attribution: LICENSE:0
10/10
Maintained
High Risk

30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

10/10
Packaging
Medium Risk

packaging workflow detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
ℹ️ Info: Project packages its releases by way of GitHub Actions.: .github/workflows/pre-release.yml:213
10/10
SAST
Medium Risk

SAST tool is run on all commits

Determines if the project uses static code analysis.

Show details
ℹ️ Info: SAST configuration detected: CodeQL
ℹ️ Info: all commits (30) are checked with a SAST tool
10/10
Security-Policy
Medium Risk

security policy file detected

Determines if the project has published a security policy.

Show details
ℹ️ Info: security policy file detected: SECURITY.md:1
ℹ️ Info: Found linked content: SECURITY.md:1
ℹ️ Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
ℹ️ Info: Found text in security policy: SECURITY.md:1
10/10
Signed-Releases
High Risk

4 out of the last 4 releases have a total of 4 signed artifacts.

Determines if the project cryptographically signs release artifacts.

Show details
ℹ️ Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/aws-powertools/powertools-lambda-python/releases/tag/v3.19.0
ℹ️ Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/aws-powertools/powertools-lambda-python/releases/tag/v3.17.1
ℹ️ Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/aws-powertools/powertools-lambda-python/releases/tag/v3.17.0
ℹ️ Info: provenance for release artifact: multiple.intoto.jsonl: https://github.com/aws-powertools/powertools-lambda-python/releases/tag/v3.16.0
9/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 9

Determines if the project has declared and pinned the dependencies of its build process.

Show details
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid parameter name: .github/workflows/layers_partition_verify.yml:150
⚠️ Warn: containerImage not pinned by hash: layer_v3/docker/Dockerfile:4
⚠️ Warn: containerImage not pinned by hash: layer_v3/docker/Dockerfile:7
⚠️ Warn: pipCommand not pinned by hash: layer_v3/docker/Dockerfile:30
⚠️ Warn: pipCommand not pinned by hash: layer_v3/docker/Dockerfile:30
⚠️ Warn: pipCommand not pinned by hash: layer_v3/docker/Dockerfile:32
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/quality_code_cdk_constructor.yml:67
ℹ️ Info: 85 out of 85 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 33 out of 33 third-party GitHubAction dependencies pinned
ℹ️ Info: 2 out of 4 containerImage dependencies pinned
ℹ️ Info: 6 out of 10 pipCommand dependencies pinned
ℹ️ Info: 1 out of 1 goCommand dependencies pinned
ℹ️ Info: 3 out of 3 npmCommand dependencies pinned
9/10
Token-Permissions
High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/bootstrap_region.yml:42
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/bootstrap_region.yml:78
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build_changelog.yml:29
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:27
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:19
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/dispatch_analytics.yml:32
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/dispatch_analytics.yml:34
ℹ️ Info: jobLevel 'discussions' permission set to 'read': .github/workflows/dispatch_analytics.yml:37
ℹ️ Info: jobLevel 'security-events' permission set to 'read': .github/workflows/dispatch_analytics.yml:42
ℹ️ Info: jobLevel 'statuses' permission set to 'read': .github/workflows/dispatch_analytics.yml:43
ℹ️ Info: jobLevel 'checks' permission set to 'read': .github/workflows/dispatch_analytics.yml:33
ℹ️ Info: jobLevel 'deployments' permission set to 'read': .github/workflows/dispatch_analytics.yml:35
ℹ️ Info: jobLevel 'issues' permission set to 'read': .github/workflows/dispatch_analytics.yml:36
ℹ️ Info: jobLevel 'packages' permission set to 'read': .github/workflows/dispatch_analytics.yml:38
ℹ️ Info: jobLevel 'pages' permission set to 'read': .github/workflows/dispatch_analytics.yml:39
ℹ️ Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/dispatch_analytics.yml:40
ℹ️ Info: jobLevel 'repository-projects' permission set to 'read': .github/workflows/dispatch_analytics.yml:41
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/label_pr_on_title.yml:35
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/label_pr_on_title.yml:36
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud.yml:160
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud.yml:47
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud.yml:92
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_python313.yml:47
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_python313.yml:88
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_python313.yml:152
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_verify.yml:27
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_verify.yml:57
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_verify.yml:88
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layers_partition_verify.yml:75
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layers_partition_verify.yml:115
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layers_partitions.yml:72
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/layers_partitions.yml:119
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/on_label_added.yml:34
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/on_label_added.yml:35
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/on_merged_pr.yml:35
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/on_merged_pr.yml:36
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/on_opened_pr.yml:35
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/on_opened_pr.yml:36
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/on_push_docs.yml:29
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/on_schedule_monthly_roadmap_reminder.yml:15
ℹ️ Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/on_schedule_monthly_roadmap_reminder.yml:16
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/pre-release.yml:55
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/pre-release.yml:110
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/pre-release.yml:147
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/pre-release.yml:199
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish_v3_layer.yml:315
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:317
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:100
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:97
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:99
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:181
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:198
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:214
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:215
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:216
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:231
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:232
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:233
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/publish_v3_layer.yml:260
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:262
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:263
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:295
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:296
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:297
ℹ️ Info: found token with 'none' permissions: .github/workflows/publish_v3_layer.yml:298
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/quality_check.yml:53
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/quality_check_docs.yml:36
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/quality_code_cdk_constructor.yml:40
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/rebuild_latest_docs.yml:32
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/record_pr.yml:47
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-drafter.yml:28
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-v3.yml:363
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-v3.yml:124
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-v3.yml:161
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/release-v3.yml:213
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-v3.yml:392
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/release-v3.yml:79
ℹ️ Info: found token with 'none' permissions: .github/workflows/reusable_deploy_v3_layer_stack.yml:64
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/reusable_deploy_v3_layer_stack.yml:65
ℹ️ Info: found token with 'none' permissions: .github/workflows/reusable_deploy_v3_layer_stack.yml:66
ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/reusable_export_pr_details.yml:62
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/reusable_publish_changelog.yml:25
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/run-e2e-tests.yml:47
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/secure_workflows.yml:30
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/update_ssm.yml:85
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/bootstrap_region.yml:35
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/build_changelog.yml:24
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:18
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/dispatch_analytics.yml:20
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/label_pr_on_title.yml:30
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud.yml:40
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/layer_govcloud_python313.yml:40
⚠️ Warn: no topLevel permission defined: .github/workflows/layer_govcloud_verify.yml:1
ℹ️ Info: found token with 'none' permissions: .github/workflows/layers_partition_verify.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/layers_partitions.yml:44
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/on_label_added.yml:29
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/on_merged_pr.yml:30
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/on_opened_pr.yml:30
ℹ️ Info: found token with 'none' permissions: .github/workflows/on_pr_updates.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/on_push_docs.yml:24
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/on_schedule_monthly_roadmap_reminder.yml:9
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/ossf_scorecard.yml:12
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/pre-release.yml:41
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/publish_v3_layer.yml:87
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/quality_check.yml:41
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/quality_check_docs.yml:30
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/quality_code_cdk_constructor.yml:28
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/rebuild_latest_docs.yml:27
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/record_pr.yml:41
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/release-drafter.yml:22
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/release-v3.yml:68
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_deploy_v3_layer_stack.yml:52
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_deploy_v3_sar.yml:35
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_export_pr_details.yml:57
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_publish_changelog.yml:14
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable_publish_docs.yml:31
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/run-e2e-tests.yml:40
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/secure_workflows.yml:23
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/update_ssm.yml:69
6/10
Vulnerabilities
High Risk

4 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

Show details
⚠️ Warn: Project is vulnerable to: PYSEC-2024-187 / GHSA-rqc4-2hc7-8c8v
⚠️ Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7
⚠️ Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v
⚠️ Warn: Project is vulnerable to: GHSA-79v4-65xg-pq4g
5/10
CII-Best-Practices
Low Risk

badge detected: Passing

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Fuzzing
Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details
⚠️ Warn: no fuzzer integrations found
N/A
Branch-Protection
Not Applicable

internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token

Determines if the default and release branches are protected with GitHub's branch protection settings.