Data

Tools

Indexes

Applications

Experiments

Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / seedcase-project / template-python-package

A template repository to use when making a Python package for Seedcase.

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seedcase-project%2Ftemplate-python-package
PURL: pkg:github/seedcase-project/template-python-package

Stars: 0
Forks: 0
Open issues: 7

License: mit
Language: Jinja
Size: 1.17 MB
Dependencies parsed at: Pending

Created at: about 1 year ago
Updated at: 13 days ago
Pushed at: 13 days ago
Last synced at: 12 days ago

Topics: copier-python, copier-template, template-package, template-python, template-python-package, template-repository-python

OpenSSF Scorecard report

7.5

Overall Score

10/10 Critical Risk
57/70 High Risk
18/40 Medium Risk
29/40 Low Risk
Generated on August 05, 2025 | Scorecard vv5.2.1
Security Checks
10/10
Binary-Artifacts
High Risk

no binaries found in the repo

Determines if the project has generated executable (binary) artifacts in the source repository.

10/10
Contributors
Low Risk

project has 12 contributing companies or organizations

Determines if the project has a set of contributors from multiple organizations (e.g., companies).

Show details
ℹ️ Info: found contributions from: NetCoupler, UofTCoders, au-cru, codeasmanuscript, dp-next, merely-useful, onlimit-study, rostools, science-collective, seedcase-project, steno diabetes center aarhus, steno-aarhus
10/10
Dangerous-Workflow
Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10
Dependency-Update-Tool
High Risk

update tool detected

Determines if the project uses a dependency update tool.

Show details
ℹ️ Info: detected update tool: Dependabot: .github/dependabot.yml:1
10/10
License
Low Risk

license file detected

Determines if the project has defined a license.

Show details
ℹ️ Info: project has a license file: LICENSE.md:0
ℹ️ Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
10/10
Maintained
High Risk

30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10

Determines if the project is "actively maintained".

10/10
Pinned-Dependencies
Medium Risk

all dependencies are pinned

Determines if the project has declared and pinned the dependencies of its build process.

Show details
ℹ️ Info: 1 out of 1 GitHub-owned GitHubAction dependencies pinned
ℹ️ Info: 2 out of 2 third-party GitHubAction dependencies pinned
10/10
Token-Permissions
High Risk

GitHub workflow tokens follow principle of least privilege

Determines if the project's workflows follow the principle of least privilege.

Show details
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/build-package.yml:19
⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-package.yml:16
⚠️ Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/scorecards.yml:26
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/add-to-project.yml:15
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/build-package.yml:12
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/build-website.yml:9
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/dependency-review.yml:13
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/release-package.yml:9
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18
ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/sync-files.yml:9
10/10
Vulnerabilities
High Risk

0 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

9/10
CI-Tests
Low Risk

28 out of 30 merged PRs checked by a CI test -- score normalized to 9

Determines if the project runs tests before pull requests are merged.

8/10
SAST
Medium Risk

SAST tool is not run on all commits -- score normalized to 8

Determines if the project uses static code analysis.

Show details
⚠️ Warn: 24 commits out of 30 are checked with a SAST tool
6/10
Branch-Protection
High Risk

branch protection is not maximal on development and all release branches

Determines if the default and release branches are protected with GitHub's branch protection settings.

Show details
ℹ️ Info: 'allow deletion' disabled on branch 'main'
ℹ️ Info: 'force pushes' disabled on branch 'main'
⚠️ Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'
ℹ️ Info: 'stale review dismissal' is required to merge on branch 'main'
⚠️ Warn: required approving review count is 1 on branch 'main'
ℹ️ Info: codeowner review is required on branch 'main'
ℹ️ Info: 'last push approval' is required to merge on branch 'main'
⚠️ Warn: no status checks found to merge onto branch 'main'
ℹ️ Info: PRs are required in order to make changes on branch 'main'
1/10
Code-Review
High Risk

Found 4/25 approved changesets -- score normalized to 1

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0/10
CII-Best-Practices
Low Risk

no effort to earn an OpenSSF best practices badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10
Fuzzing
Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details
⚠️ Warn: no fuzzer integrations found
0/10
Security-Policy
Medium Risk

security policy file not detected

Determines if the project has published a security policy.

Show details
⚠️ Warn: no security policy file detected
⚠️ Warn: no security file to analyze
⚠️ Warn: no security file to analyze
⚠️ Warn: no security file to analyze
N/A
Packaging
Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details
⚠️ Warn: no GitHub/GitLab publishing workflow detected.
N/A
Signed-Releases
Not Applicable

no releases found

Determines if the project cryptographically signs release artifacts.