Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / python / cpython

The Python programming language

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/python%2Fcpython
PURL: pkg:github/python/cpython

Stars: 71,318
Forks: 33,997
Open issues: 9,222

License: other
Language: Python
Size: 748 MB
Dependencies parsed at: Pending

Created at: almost 9 years ago
Updated at: 4 days ago
Pushed at: 4 days ago
Last synced at: 4 days ago

Commit Stats

Commits: 111581
Authors: 3071
Mean commits per author: 36.33
Development Distribution Score: 0.9
More commit stats: https://commits.ecosyste.ms/hosts/GitHub/repositories/python/cpython

Funding Links https://www.python.org/psf/donations/python-dev/, https://github.com/sponsors/python

OpenSSF Scorecard report

6.3

Overall Score

10/10 Critical Risk
37/60 High Risk
19/40 Medium Risk
14/20 Low Risk
Generated on August 04, 2025 | Scorecard vv5.2.1-28-gc1d103a9
Security Checks
10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
Fuzzing
Medium Risk

project is fuzzed

Determines if the project uses fuzzing.

Show details
ℹ️ Info: OSSFuzz integration found
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/_xxtestfuzz.c:5
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/_xxtestfuzz.c:13
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:3
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:8
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:11
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:89
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:152
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:198
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:286
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:341
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:398
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:444
ℹ️ Info: CLibFuzzer integration found: Modules/_xxtestfuzz/fuzzer.c:617
10/10
Maintained
High Risk

30 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

10/10
Vulnerabilities
High Risk

0 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

9/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE:0
⚠️ Warn: project license file does not contain an FSF or OSI license.
9/10
Security-Policy
Medium Risk

security policy file detected

Determines if the project has published a security policy.

Show details
ℹ️ Info: security policy file detected: .github/SECURITY.md:1
ℹ️ Info: Found linked content: .github/SECURITY.md:1
⚠️ Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
ℹ️ Info: Found text in security policy: .github/SECURITY.md:1
8/10
Code-Review
High Risk

Found 25/30 approved changesets -- score normalized to 8

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

6/10
Binary-Artifacts
High Risk

binaries present in source code

Determines if the project has generated executable (binary) artifacts in the source repository.

Show details
⚠️ Warn: binary detected: Lib/ensurepip/_bundled/pip-25.2-py3-none-any.whl:1
⚠️ Warn: binary detected: Lib/test/test_importlib/metadata/data/example-21.12-py3-none-any.whl:1
⚠️ Warn: binary detected: Lib/test/test_importlib/metadata/data/example2-1.0.0-py3-none-any.whl:1
⚠️ Warn: binary detected: Lib/test/wheeldata/setuptools-79.0.1-py3-none-any.whl:1
5/10
CII-Best-Practices
Low Risk

badge detected: Passing

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

3/10
Branch-Protection
High Risk

branch protection is not maximal on development and all release branches

Determines if the default and release branches are protected with GitHub's branch protection settings.

Show details
ℹ️ Info: 'allow deletion' disabled on branch 'main'
ℹ️ Info: 'force pushes' disabled on branch 'main'
⚠️ Warn: branch 'main' does not require approvers
⚠️ Warn: codeowners review is not required on branch 'main'
ℹ️ Info: status check found to merge onto on branch 'main'
0/10
Pinned-Dependencies
Medium Risk

dependency not pinned by hash detected -- score normalized to 0

Determines if the project has declared and pinned the dependencies of its build process.

Show details
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid UTF-8 encoding: Lib/test/archivetestdata/exe_with_z64:0
ℹ️ Info: Possibly incomplete results: error parsing shell code: invalid UTF-8 encoding: Lib/test/archivetestdata/exe_with_zip:0
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add-issue-header.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/add-issue-header.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:620: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:626: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:342: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:348: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:363: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:379: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:669: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:674: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:682: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:688: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:539: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:545: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:554: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:564: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:575: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:281: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:287: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:302: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:313: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:418: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:432: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:443: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:457: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:491: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:518: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/build.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/documentation-links.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/documentation-links.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/jit.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/jit.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/jit.yml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/jit.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/jit.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/jit.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/lint.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/lint.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/lint.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/lint.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/mypy.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/mypy.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/mypy.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/mypy.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/new-bugs-announce-notifier.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/new-bugs-announce-notifier.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/new-bugs-announce-notifier.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/new-bugs-announce-notifier.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/project-updater.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/project-updater.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-pr-label.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/require-pr-label.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-pr-label.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/require-pr-label.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-pr-label.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/require-pr-label.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/require-pr-label.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/require-pr-label.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-context.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-context.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-context.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-context.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-docs.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-docs.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-docs.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-docs.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-docs.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-docs.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-docs.yml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-docs.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-docs.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-docs.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-docs.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-docs.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-macos.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-macos.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-macos.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-macos.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-san.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-san.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-san.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-san.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/reusable-san.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-san.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-san.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-san.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-ubuntu.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-ubuntu.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-ubuntu.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-ubuntu.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/reusable-ubuntu.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-ubuntu.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-ubuntu.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-ubuntu.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: third-party GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-wasi.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-wasi.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-windows-msi.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-windows-msi.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-windows.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/reusable-windows.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/stale.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tail-call.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/tail-call.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tail-call.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/tail-call.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/verify-ensurepip-wheels.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/verify-ensurepip-wheels.yml/main?enable=pin
⚠️ Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/verify-ensurepip-wheels.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/python/cpython/verify-ensurepip-wheels.yml/main?enable=pin
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/mypy.yml:70
⚠️ Warn: npmCommand not pinned by hash: .github/workflows/new-bugs-announce-notifier.yml:20
⚠️ Warn: pipCommand not pinned by hash: .github/workflows/reusable-docs.yml:123
⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/reusable-san.yml:50
⚠️ Warn: downloadThenRun not pinned by hash: .github/workflows/reusable-san.yml:58
ℹ️ Info: 0 out of 61 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 1 out of 19 third-party GitHubAction dependencies pinned
ℹ️ Info: 1 out of 2 npmCommand dependencies pinned
ℹ️ Info: 0 out of 2 pipCommand dependencies pinned
ℹ️ Info: 0 out of 2 downloadThenRun dependencies pinned
0/10
SAST
Medium Risk

SAST tool is not run on all commits -- score normalized to 0

Determines if the project uses static code analysis.

Show details
⚠️ Warn: 0 commits out of 30 are checked with a SAST tool
0/10
Token-Permissions
High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details
ℹ️ Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/require-pr-label.yml:13
ℹ️ Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/require-pr-label.yml:30
⚠️ Warn: no topLevel permission defined: .github/workflows/add-issue-header.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:15
⚠️ Warn: no topLevel permission defined: .github/workflows/documentation-links.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/jit.yml:26
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:6
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/mypy.yml:31
ℹ️ Info: topLevel 'issues' permission set to 'read': .github/workflows/new-bugs-announce-notifier.yml:9
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/project-updater.yml:10
⚠️ Warn: no topLevel permission defined: .github/workflows/require-pr-label.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/reusable-context.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable-docs.yml:8
⚠️ Warn: no topLevel permission defined: .github/workflows/reusable-macos.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/reusable-san.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/reusable-ubuntu.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/reusable-wasi.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/reusable-windows-msi.yml:12
⚠️ Warn: no topLevel permission defined: .github/workflows/reusable-windows.yml:1
⚠️ Warn: no topLevel permission defined: .github/workflows/stale.yml:1
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/tail-call.yml:20
ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/verify-ensurepip-wheels.yml:17
ℹ️ Info: no jobLevel write permissions found
N/A
Packaging
Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
⚠️ Warn: no GitHub/GitLab publishing workflow detected.
N/A
Signed-Releases
Not Applicable

no releases found

Determines if the project cryptographically signs release artifacts.