GitHub / commit-check / commit-check
Commit Check enforces commit metadata standards, including commit message, branch naming, committer name/email and more.
JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/commit-check%2Fcommit-check
PURL: pkg:github/commit-check/commit-check
Stars: 30
Forks: 7
Open issues: 6
License: mit
Language: Python
Size: 41.6 MB
Dependencies parsed at: Pending
Created at: over 3 years ago
Updated at: 4 days ago
Pushed at: 4 days ago
Last synced at: 4 days ago
Topics: branch-naming, commit-check, conventional-branch, conventional-commits, naming-conventions, standard-naming, yet-another-commit-checker
Funding Links https://github.com/sponsors/shenxianpeng
OpenSSF Scorecard report
5.6
Overall Score
10/10 Critical Risk
40/70 High Risk
22/50 Medium Risk
15/40 Low Risk
Generated on October 30, 2023
| Scorecard vv4.13.1
Security Checks
no binaries found in the repo
Determines if the project has generated executable (binary) artifacts in the source repository.
no dangerous workflow patterns detected
Determines if the project's GitHub Action workflows avoid dangerous patterns.
update tool detected
Determines if the project uses a dependency update tool.
Show details
ℹ️
Info: tool 'Dependabot' is used: .github/dependabot.yml:1
license file detected
Determines if the project has defined a license.
Show details
ℹ️
Info: License file found in expected location: LICENSE:1
ℹ️
Info: FSF or OSI recognized license: LICENSE:1
publishing workflow detected
Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.
Show details
ℹ️
Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/commit-check/commit-check/actions/runs/4060488099: .github/workflows/publish-image.yml:12
SAST tool is run on all commits
Determines if the project uses static code analysis.
Show details
ℹ️
Info: all commits (28) are checked with a SAST tool
⚠️
Warn: CodeQL tool not detected
no vulnerabilities detected
Determines if the project has open, known unfixed vulnerabilities.
11 commit(s) out of 30 and 0 issue activity out of 27 found in the last 90 days -- score normalized to 9
Determines if the project is "actively maintained".
16 out of 28 merged PRs checked by a CI test -- score normalized to 5
Determines if the project runs tests before pull requests are merged.
dependency not pinned by hash detected -- score normalized to 2
Determines if the project has declared and pinned the dependencies of its build process.
Show details
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:105: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-image.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/publish-image.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-package.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/publish-package.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-package.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/publish-package.yml/main?enable=pin
⚠️
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/scorecard.yml/main?enable=pin
⚠️
Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python:3.12-slim to python:3.12-slim@sha256:babc0d450bf9ed2b369814bc2f466e53a6ea43f1201f6df4e7988751f755c52c
⚠️
Warn: pipCommand not pinned by hash: Dockerfile:13-17
⚠️
Warn: pipCommand not pinned by hash: Dockerfile:13-17
⚠️
Warn: pipCommand not pinned by hash: .github/workflows/main.yml:26
⚠️
Warn: pipCommand not pinned by hash: .github/workflows/main.yml:27
⚠️
Warn: pipCommand not pinned by hash: .github/workflows/main.yml:91
⚠️
Warn: pipCommand not pinned by hash: .github/workflows/publish-package.yml:24
ℹ️
Info: 2 out of 15 GitHub-owned GitHubAction dependencies pinned
ℹ️
Info: 1 out of 3 third-party GitHubAction dependencies pinned
ℹ️
Info: 0 out of 1 containerImage dependencies pinned
ℹ️
Info: 2 out of 8 pipCommand dependencies pinned
found 5 unreviewed changesets out of 6 -- score normalized to 1
Determines if the project requires human code review before pull requests (aka merge requests) are merged.
branch protection not enabled on development/release branches
Determines if the default and release branches are protected with GitHub's branch protection settings.
Show details
⚠️
Warn: branch protection not enabled for branch 'main'
no effort to earn an OpenSSF best practices badge detected
Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.
0 different organizations found -- score normalized to 0
Determines if the project has a set of contributors from multiple organizations (e.g., companies).
Show details
⚠️
Warn: no contributors have an org or company
project is not fuzzed
Determines if the project uses fuzzing.
Show details
⚠️
Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.
Over time, try to add fuzzing for more functionalities of your project. (High effort)
⚠️
Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.
Over time, try to add fuzzing for more functionalities of your project. (High effort)
⚠️
Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project.
Over time, try to add fuzzing for more functionalities of your project. (Medium effort)
⚠️
Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.
Over time, try to add fuzzing for more functionalities of your project. (High effort)
⚠️
Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:
QuickCheck: https://hackage.haskell.org/package/QuickCheck
hedgehog: https://hedgehog.qa/
validity: https://github.com/NorfairKing/validity
smallcheck: https://hackage.haskell.org/package/smallcheck
hspec: https://hspec.github.io/
tasty: https://hackage.haskell.org/package/tasty (High effort)
⚠️
Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
⚠️
Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)
security policy file not detected
Determines if the project has published a security policy.
Show details
⚠️
Warn: no security policy file detected: On GitHub:
Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.
On GitLab:
Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.
Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md.
For additional information on vulnerability disclosure, see https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md. (Medium effort)
⚠️
Warn: no security file to analyze: On GitHub:
Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.
On GitLab:
Provide a point of contact in your SECURITY.md.
Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
⚠️
Warn: no security file to analyze: On GitHub:
Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.
On GitLab:
Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.
Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
⚠️
Warn: no security file to analyze: On GitHub:
Enable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository
Add a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.
On GitLab:
Add a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.
Examples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)
detected GitHub workflow tokens with excessive permissions
Determines if the project's workflows follow the principle of least privilege.
Show details
⚠️
Warn: no topLevel permission defined: .github/workflows/main.yml:1: Visit https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/main.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
⚠️
Warn: no topLevel permission defined: .github/workflows/publish-image.yml:1: Visit https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/publish-image.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
⚠️
Warn: no topLevel permission defined: .github/workflows/publish-package.yml:1: Visit https://app.stepsecurity.io/secureworkflow/commit-check/commit-check/publish-package.yml/main?enable=permissions
Tick the 'Restrict permissions for GITHUB_TOKEN'
Untick other options
NOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)
ℹ️
Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
ℹ️
Info: no jobLevel write permissions found