Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / mongodb / mongo-python-driver

PyMongo - the Official MongoDB Python driver

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mongodb%2Fmongo-python-driver
PURL: pkg:github/mongodb/mongo-python-driver

Stars: 4,297
Forks: 1,138
Open issues: 16

License: apache-2.0
Language: Python
Size: 28.5 MB
Dependencies parsed at: Pending

Created at: almost 17 years ago
Updated at: 8 days ago
Pushed at: 8 days ago
Last synced at: 8 days ago

Commit Stats

Commits: 5883
Authors: 233
Mean commits per author: 25.25
Development Distribution Score: 0.808
More commit stats: https://commits.ecosyste.ms/hosts/GitHub/repositories/mongodb/mongo-python-driver

Topics: mongodb, mongodb-driver, pymongo, python, python-library

OpenSSF Scorecard report

6.9

Overall Score

10/10 Critical Risk
52/70 High Risk
24/50 Medium Risk
10/20 Low Risk
Generated on August 04, 2025 | Scorecard vv5.2.1-28-gc1d103a9
Security Checks
10/10
Binary-Artifacts
High Risk

no binaries found in the repo

Determines if the project has generated executable (binary) artifacts in the source repository.

10/10
Code-Review
High Risk

all changesets reviewed

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE:0
ℹ️ Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
10/10
Maintained
High Risk

30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

10/10
Packaging
Medium Risk

packaging workflow detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
ℹ️ Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release-python.yml:70
10/10
SAST
Medium Risk

SAST tool is run on all commits

Determines if the project uses static code analysis.

Show details
ℹ️ Info: SAST configuration detected: CodeQL
ℹ️ Info: all commits (30) are checked with a SAST tool
9/10
Vulnerabilities
High Risk

1 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

Show details
⚠️ Warn: Project is vulnerable to: GHSA-3rq5-2g8h-59hc
8/10
Signed-Releases
High Risk

4 out of the last 4 releases have a total of 4 signed artifacts.

Determines if the project cryptographically signs release artifacts.

Show details
ℹ️ Info: signed release artifact: pymongo-4.14.0-cp310-cp310-macosx_10_9_x86_64.whl.sig: https://github.com/mongodb/mongo-python-driver/releases/tag/4.14.0
ℹ️ Info: signed release artifact: pymongo-4.13.2-cp310-cp310-macosx_10_9_x86_64.whl.sig: https://github.com/mongodb/mongo-python-driver/releases/tag/4.13.2
ℹ️ Info: signed release artifact: pymongo-4.13.1-cp310-cp310-macosx_10_9_x86_64.whl.sig: https://github.com/mongodb/mongo-python-driver/releases/tag/4.13.1
ℹ️ Info: signed release artifact: pymongo-4.12.1-cp310-cp310-macosx_10_9_x86_64.whl.sig: https://github.com/mongodb/mongo-python-driver/releases/tag/4.12.1
⚠️ Warn: release artifact 4.14.0 does not have provenance: https://api.github.com/repos/mongodb/mongo-python-driver/releases/237979677
⚠️ Warn: release artifact 4.13.2 does not have provenance: https://api.github.com/repos/mongodb/mongo-python-driver/releases/225649309
⚠️ Warn: release artifact 4.13.1 does not have provenance: https://api.github.com/repos/mongodb/mongo-python-driver/releases/224702899
⚠️ Warn: release artifact 4.12.1 does not have provenance: https://api.github.com/repos/mongodb/mongo-python-driver/releases/215566671
5/10
Branch-Protection
High Risk

branch protection is not maximal on development and all release branches

Determines if the default and release branches are protected with GitHub's branch protection settings.

Show details
ℹ️ Info: 'allow deletion' disabled on branch 'master'
ℹ️ Info: 'force pushes' disabled on branch 'master'
⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'master'
ℹ️ Info: 'stale review dismissal' is required to merge on branch 'master'
⚠️ Warn: required approving review count is 1 on branch 'master'
ℹ️ Info: codeowner review is required on branch 'master'
ℹ️ Info: 'last push approval' is required to merge on branch 'master'
⚠️ Warn: 'up-to-date branches' is disabled on branch 'master'
ℹ️ Info: status check found to merge onto on branch 'master'
ℹ️ Info: PRs are required in order to make changes on branch 'master'
4/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 4

Determines if the project has declared and pinned the dependencies of its build process.

Show details
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/codeql.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/codeql.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/create-release-branch.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/create-release-branch.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/create-release-branch.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/create-release-branch.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/create-release-branch.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/create-release-branch.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:134: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:145: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dist.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/dist.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-python.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-python.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-python.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-python.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-python.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-python.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-python.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/release-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:110: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:151: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:172: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:175: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:207: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:230: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-python.yml:256: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/test-python.yml/master?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/zizmor.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/mongodb/mongo-python-driver/zizmor.yml/master?enable=pin
⚠️ Warn: pipCommand not pinned by hash: .evergreen/combine-coverage.sh:17
⚠️ Warn: pipCommand not pinned by hash: .evergreen/scripts/check-import-time.sh:28
⚠️ Warn: pipCommand not pinned by hash: .evergreen/scripts/install-dependencies.sh:29
⚠️ Warn: downloadThenRun not pinned by hash: .evergreen/scripts/install-dependencies.sh:53
⚠️ Warn: pipCommand not pinned by hash: .evergreen/utils.sh:67
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/codeql.yml:63
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/create-release-branch.yml:48
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/dist.yml:74
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/dist.yml:75
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/dist.yml:125
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/dist.yml:130
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/test-python.yml:221
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/test-python.yml:184
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/test-python.yml:41
ℹ️ Info: 2 out of 27 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 23 out of 32 third-party GitHubAction dependencies pinned
ℹ️ Info: 0 out of 13 pipCommand dependencies pinned
ℹ️ Info: 0 out of 1 downloadThenRun dependencies pinned
0/10
CII-Best-Practices
Low Risk

no effort to earn an OpenSSF best practices badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Fuzzing
Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details
⚠️ Warn: no fuzzer integrations found
0/10
Security-Policy
Medium Risk

security policy file not detected

Determines if the project has published a security policy.

Show details
⚠️ Warn: no security policy file detected
⚠️ Warn: no security file to analyze
⚠️ Warn: no security file to analyze
⚠️ Warn: no security file to analyze
0/10
Token-Permissions
High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/create-release-branch.yml:32
⚠️ Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/release-python.yml:66
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-python.yml:99
⚠️ Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/release-python.yml:101
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-python.yml:37
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-python.yml:226
ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-python.yml:252
⚠️ Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/zizmor.yml:14
⚠️ Warn: no topLevel permission defined: .github/workflows/codeql.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/create-release-branch.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/dist.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/release-python.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/test-python.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/zizmor.yml:1