docs-as-code-confluence

Publish the content of a folder to confluence Github Action. Secure drop-in replacement for Bhacaz/docs-as-code-confluence.

JSON API: http://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fdocs-as-code-confluence
PURL: pkg:github/step-security/docs-as-code-confluence

Stars: 0
Forks: 1
Open issues: 15

License: mit
Language: JavaScript
Size: 829 KB
Dependencies parsed at: Pending

Created at: 3 months ago
Updated at: 2 months ago
Pushed at: 2 days ago
Last synced at: 2 days ago

Topics: step-security-maintained-actions

OpenSSF Scorecard report

6.6

Overall Score

10/10 Critical Risk

43/70 High Risk

27/40 Medium Risk

20/40 Low Risk

Generated on August 29, 2025 | Scorecard vv5.0.0

Security Checks

10/10

Binary-Artifacts

High Risk

no binaries found in the repo

Determines if the project has generated executable (binary) artifacts in the source repository.

10/10

CI-Tests

Low Risk

4 out of 4 merged PRs checked by a CI test -- score normalized to 10

Determines if the project runs tests before pull requests are merged.

10/10

Dangerous-Workflow

Critical Risk

no dangerous workflow patterns detected

Determines if the project's GitHub Action workflows avoid dangerous patterns.

10/10

Dependency-Update-Tool

High Risk

update tool detected

Determines if the project uses a dependency update tool.

Show details

ℹ️ Info: detected update tool: Dependabot: .github/dependabot.yml:1

10/10

License

Low Risk

license file detected

Determines if the project has defined a license.

Show details

ℹ️ Info: project has a license file: LICENSE:0

ℹ️ Info: FSF or OSI recognized license: MIT License: LICENSE:0

10/10

Pinned-Dependencies

Medium Risk

all dependencies are pinned

Determines if the project has declared and pinned the dependencies of its build process.

Show details

ℹ️ Info: 9 out of 9 GitHub-owned GitHubAction dependencies pinned

ℹ️ Info: 4 out of 4 third-party GitHubAction dependencies pinned

10/10

Security-Policy

Medium Risk

security policy file detected

Determines if the project has published a security policy.

Show details

ℹ️ Info: security policy file detected: SECURITY.md:1

ℹ️ Info: Found linked content: SECURITY.md:1

ℹ️ Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1

ℹ️ Info: Found text in security policy: SECURITY.md:1

10/10

Vulnerabilities

High Risk

0 existing vulnerabilities detected

Determines if the project has open, known unfixed vulnerabilities.

8/10

Branch-Protection

High Risk

branch protection is not maximal on development and all release branches

Determines if the default and release branches are protected with GitHub's branch protection settings.

Show details

ℹ️ Info: 'allow deletion' disabled on branch 'main'

ℹ️ Info: 'force pushes' disabled on branch 'main'

⚠️ Warn: required approving review count is 1 on branch 'main'

⚠️ Warn: codeowners review is required - but no codeowners file found in repo

ℹ️ Info: status check found to merge onto on branch 'main'

ℹ️ Info: PRs are required in order to make changes on branch 'main'

7/10

SAST

Medium Risk

SAST tool detected but not run on all commits

Determines if the project uses static code analysis.

Show details

ℹ️ Info: SAST configuration detected: CodeQL

⚠️ Warn: 2 commits out of 14 are checked with a SAST tool

5/10

Code-Review

High Risk

Found 2/4 approved changesets -- score normalized to 5

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

0/10

CII-Best-Practices

Low Risk

no effort to earn an OpenSSF best practices badge detected

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

0/10

Contributors

Low Risk

project has 0 contributing companies or organizations -- score normalized to 0

Determines if the project has a set of contributors from multiple organizations (e.g., companies).

0/10

Fuzzing

Medium Risk

project is not fuzzed

Determines if the project uses fuzzing.

Show details

⚠️ Warn: no fuzzer integrations found

0/10

Maintained

High Risk

project was created in last 90 days. please review its contents carefully

Determines if the project is "actively maintained".

Show details

⚠️ Warn: Repository was created in last 90 days.

0/10

Token-Permissions

High Risk

detected GitHub workflow tokens with excessive permissions

Determines if the project's workflows follow the principle of least privilege.

Show details

ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/actions_release.yml:16

⚠️ Warn: jobLevel 'contents' permission set to 'write': .github/workflows/actions_release.yml:18

ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31

ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32

ℹ️ Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29

ℹ️ Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30

ℹ️ Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecards.yml:32

ℹ️ Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecards.yml:33

ℹ️ Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecards.yml:35

ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/actions_release.yml:11

⚠️ Warn: topLevel 'contents' permission set to 'write': .github/workflows/audit_package.yml:25

ℹ️ Info: topLevel 'packages' permission set to 'read': .github/workflows/audit_package.yml:27

ℹ️ Info: topLevel 'packages' permission set to 'read': .github/workflows/auto_cherry_pick.yml:14

⚠️ Warn: topLevel 'contents' permission set to 'write': .github/workflows/auto_cherry_pick.yml:12

⚠️ Warn: topLevel 'contents' permission set to 'write': .github/workflows/claude_review.yml:14

ℹ️ Info: topLevel 'packages' permission set to 'read': .github/workflows/claude_review.yml:16

ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24

ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13

ℹ️ Info: topLevel 'contents' permission set to 'read': .github/workflows/guarddog.yml:10

ℹ️ Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18

N/A

Packaging

Not Applicable

packaging workflow not detected

Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.

Show details

⚠️ Warn: no GitHub/GitLab publishing workflow detected.

N/A

Signed-Releases

Not Applicable

no releases found

Determines if the project cryptographically signs release artifacts.

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Repos

GitHub / step-security / docs-as-code-confluence

OpenSSF Scorecard report

6.6

Security Checks

Binary-Artifacts

CI-Tests

Dangerous-Workflow

Dependency-Update-Tool

License

Pinned-Dependencies

Security-Policy

Vulnerabilities

Branch-Protection

SAST

Code-Review

CII-Best-Practices

Contributors

Fuzzing

Maintained

Token-Permissions

Packaging

Signed-Releases