no binaries found in the repo
Determines if the project has generated executable (binary) artifacts in the source repository.
no dangerous workflow patterns detected
Determines if the project's GitHub Action workflows avoid dangerous patterns.
license file detected
Determines if the project has defined a license.
Show details
ℹ️
Info: project has a license file: LICENSE:0
ℹ️
Info: FSF or OSI recognized license: MIT License: LICENSE:0
0 existing vulnerabilities detected
Determines if the project has open, known unfixed vulnerabilities.
Found 4/6 approved changesets -- score normalized to 6
Determines if the project requires human code review before pull requests (aka merge requests) are merged.
branch protection not enabled on development/release branches
Determines if the default and release branches are protected with GitHub's branch protection settings.
Show details
⚠️
Warn: branch protection not enabled for branch 'main'
no effort to earn an OpenSSF best practices badge detected
Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.
project is not fuzzed
Determines if the project uses fuzzing.
Show details
⚠️
Warn: no fuzzer integrations found
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Determines if the project is "actively maintained".
dependency not pinned by hash detected -- score normalized to 0
Determines if the project has declared and pinned the dependencies of its build process.
Show details
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/build.yml/main?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/failure-help-text.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/failure-help-text.yml/main?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release_gh.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/release_gh.yml/main?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/release_pypi.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/release_pypi.yml/main?enable=pin
ℹ️
Info: 0 out of 4 third-party GitHubAction dependencies pinned
SAST tool is not run on all commits -- score normalized to 0
Determines if the project uses static code analysis.
Show details
⚠️
Warn: 0 commits out of 30 are checked with a SAST tool
security policy file not detected
Determines if the project has published a security policy.
Show details
⚠️
Warn: no security policy file detected
⚠️
Warn: no security file to analyze
⚠️
Warn: no security file to analyze
⚠️
Warn: no security file to analyze
Project has not signed or included provenance with any releases.
Determines if the project cryptographically signs release artifacts.
Show details
⚠️
Warn: release artifact 0.5.0 not signed: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/214857848
⚠️
Warn: release artifact 0.4.0 not signed: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/214845192
⚠️
Warn: release artifact 0.3.0 not signed: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/61714896
⚠️
Warn: release artifact 0.2.0 not signed: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/59957453
⚠️
Warn: release artifact 0.1.0 not signed: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/45728097
⚠️
Warn: release artifact 0.5.0 does not have provenance: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/214857848
⚠️
Warn: release artifact 0.4.0 does not have provenance: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/214845192
⚠️
Warn: release artifact 0.3.0 does not have provenance: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/61714896
⚠️
Warn: release artifact 0.2.0 does not have provenance: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/59957453
⚠️
Warn: release artifact 0.1.0 does not have provenance: https://api.github.com/repos/circuitpython/CircuitPython_Org_DisplayIO_Cartesian/releases/45728097
detected GitHub workflow tokens with excessive permissions
Determines if the project's workflows follow the principle of least privilege.
Show details
⚠️
Warn: no topLevel permission defined: .github/workflows/build.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/failure-help-text.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/release_gh.yml:1
⚠️
Warn: no topLevel permission defined: .github/workflows/release_pypi.yml:1
ℹ️
Info: no jobLevel write permissions found
packaging workflow not detected
Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.
Show details
⚠️
Warn: no GitHub/GitLab publishing workflow detected.