[WIP] deps: bump up v8 to 13.6.233.8#40235
Closed
agrawroh wants to merge 1 commit intoenvoyproxy:mainfrom
Closed
Conversation
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
b5b4b32 to
7bb003a
Compare
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
moderation
reviewed
Jul 15, 2025
Comment on lines
+1192
to
+1205
| highway = dict( | ||
| project_name = "Highway", | ||
| project_desc = "Efficient and performance-portable vector software", | ||
| project_url = "https://github.com/google/highway", | ||
| # Same version as used by V8 | ||
| version = "00fe003dac355b979f36157f9407c7c46448958e", | ||
| sha256 = "7ef3f89053f50f88d4603670bb9a915d252bd93314ced691ddf5913edbc4e75b", | ||
| urls = ["https://github.com/google/highway/archive/{version}.tar.gz"], | ||
| strip_prefix = "highway-{version}", | ||
| use_category = ["dataplane_ext"], | ||
| extensions = ["envoy.wasm.runtime.v8"], | ||
| release_date = "2024-10-25", | ||
| cpe = "N/A", | ||
| ), |
Contributor
There was a problem hiding this comment.
./scorecard --show-details --repo github.com/google/highway
RESULTS
-------
Aggregate score: 6.8 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Branch-Protection | branch protection is not | Info: 'allow deletion' | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection |
| | | maximal on development and all | disabled on branch 'master' | |
| | | release branches | Info: 'force pushes' disabled | |
| | | | on branch 'master' Warn: | |
| | | | required approving review | |
| | | | count is 1 on branch 'master' | |
| | | | Warn: codeowners review is | |
| | | | required - but no codeowners | |
| | | | file found in repo Warn: no | |
| | | | status checks found to merge | |
| | | | onto branch 'master' Info: PRs | |
| | | | are required in order to make | |
| | | | changes on branch 'master' | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | CI-Tests | 21 out of 22 merged PRs | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 9 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Code-Review | Found 8/22 approved changesets | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review |
| | | -- score normalized to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 18 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors |
| | | companies or organizations | from: JuliaSIMD, apache, | |
| | | | arm-software, google, | |
| | | | google deepmind, google | |
| | | | research, googlers, | |
| | | | http://mathieumalaterre.com, | |
| | | | kvantify, libjxl, libvips, | |
| | | | modular, numpy, openai, simons | |
| | | | foundation, uwplse, v8-riscv, | |
| | | | weserv | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license |
| | | | file: LICENSE:0 Info: FSF or | |
| | | | OSI recognized license: Apache | |
| | | | License 2.0: LICENSE:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) and 21 issue | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 7 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/multiarch.yml:27: update your workflow using | |
| | | to 7 | https://app.stepsecurity.io/secureworkflow/google/highway/multiarch.yml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: | |
| | | | .github/workflows/multiarch.yml:29: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/google/highway/multiarch.yml/master?enable=pin | |
| | | | Warn: pipCommand not pinned by hash: docs/buildDocs.sh:22 Info: 6 out of 7 | |
| | | | GitHub-owned GitHubAction dependencies pinned Info: 6 out of 7 third-party | |
| | | | GitHubAction dependencies pinned Info: 0 out of 1 pipCommand dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | Warn: 0 commits out of 29 are | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast |
| | | commits -- score normalized to | checked with a SAST tool | |
| | | 0 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security policy file detected: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy |
| | | | github.com/google/.github/SECURITY.md:1 | |
| | | | Info: Found linked content: | |
| | | | github.com/google/.github/SECURITY.md:1 | |
| | | | Info: Found disclosure, vulnerability, | |
| | | | and/or timelines in security policy: | |
| | | | github.com/google/.github/SECURITY.md:1 | |
| | | | Info: Found text in security policy: | |
| | | | github.com/google/.github/SECURITY.md:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10 | Signed-Releases | 5 out of the last 5 releases | Info: signed release artifact: highway-1.2.0.tar.gz.asc: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases |
| | | have a total of 5 signed | https://github.com/google/highway/releases/tag/1.2.0 | |
| | | artifacts. | Info: signed release artifact: highway-1.1.0.tar.gz.asc: | |
| | | | https://github.com/google/highway/releases/tag/1.1.0 | |
| | | | Info: signed release artifact: highway-1.0.7.tar.gz.asc: | |
| | | | https://github.com/google/highway/releases/tag/1.0.7 | |
| | | | Info: signed release artifact: highway-1.0.6.tar.gz.asc: | |
| | | | https://github.com/google/highway/releases/tag/1.0.6 | |
| | | | Info: signed release artifact: highway-1.0.5.tar.gz.asc: | |
| | | | https://github.com/google/highway/releases/tag/1.0.5 | |
| | | | Warn: release artifact 1.2.0 does not have provenance: | |
| | | | https://api.github.com/repos/google/highway/releases/158381814 | |
| | | | Warn: release artifact 1.1.0 does not have provenance: | |
| | | | https://api.github.com/repos/google/highway/releases/142478899 | |
| | | | Warn: release artifact 1.0.7 does not have provenance: | |
| | | | https://api.github.com/repos/google/highway/releases/119181529 | |
| | | | Warn: release artifact 1.0.6 does not have provenance: | |
| | | | https://api.github.com/repos/google/highway/releases/116082634 | |
| | | | Warn: release artifact 1.0.5 does not have provenance: | |
| | | | https://api.github.com/repos/google/highway/releases/112840052 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Info: topLevel permissions | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions |
| | | tokens with excessive | set to 'read-all': | |
| | | permissions | .github/workflows/build_test.yml:15 | |
| | | | Warn: topLevel 'contents' | |
| | | | permission set to 'write': | |
| | | | .github/workflows/docs_pages_workflow.yml:7 | |
| | | | Info: topLevel 'contents' permission set to | |
| | | | 'read': .github/workflows/multiarch.yml:10 | |
| | | | Info: no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
moderation
reviewed
Jul 15, 2025
Comment on lines
+1206
to
+1219
| fast_float = dict( | ||
| project_name = "Fast_Float", | ||
| project_desc = "Fast and exact implementation of the C++ from_chars functions for number types", | ||
| project_url = "https://github.com/fastfloat/fast_float", | ||
| # Same version as used by V8 | ||
| version = "7.0.0", | ||
| sha256 = "d2a08e722f461fe699ba61392cd29e6b23be013d0f56e50c7786d0954bffcb17", | ||
| urls = ["https://github.com/fastfloat/fast_float/archive/refs/tags/v{version}.tar.gz"], | ||
| strip_prefix = "fast_float-{version}", | ||
| use_category = ["dataplane_ext"], | ||
| extensions = ["envoy.wasm.runtime.v8"], | ||
| release_date = "2024-10-25", | ||
| cpe = "N/A", | ||
| ), |
Contributor
There was a problem hiding this comment.
./scorecard --show-details --repo github.com/fastfloat/fast_float
RESULTS
-------
Aggregate score: 5.5 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'main' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10 | CI-Tests | 7 out of 8 merged PRs | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 8 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 4 / 10 | Code-Review | Found 6/15 approved changesets | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review |
| | | -- score normalized to 4 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 14 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors |
| | | companies or organizations | from: FastFilter, | |
| | | | RoaringBitmap, ada-url, | |
| | | | bits-and-blooms, | |
| | | | capstone-fpga-raytracing, | |
| | | | fast-pack, fastfloat, | |
| | | | manulife, nodejs, simdjson, | |
| | | | simdutf, university of | |
| | | | modena and reggio emilia, | |
| | | | université du québec (teluq), | |
| | | | web-platform-tests | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing | project is fuzzed | Info: OSSFuzz integration | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing |
| | | | found Info: CppLibFuzzer | |
| | | | integration found: | |
| | | | fuzz/from_chars.cc:22 Info: | |
| | | | CppLibFuzzer integration | |
| | | | found: fuzz/from_chars.cc:22 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license |
| | | | file: LICENSE-APACHE:0 | |
| | | | Info: FSF or OSI recognized | |
| | | | license: Apache License 2.0: | |
| | | | LICENSE-APACHE:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Maintained | 1 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/alpine.yml:21: update your workflow using | |
| | | to 1 | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/alpine.yml/main?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/alpine.yml:24: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/alpine.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/amalgamate-ubuntu20.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/amalgamate-ubuntu20.yml/main?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: | |
| | | | .github/workflows/cifuzz.yml:11: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/cifuzz.yml/main?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/cifuzz.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:23: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/cifuzz.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:30: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/cifuzz.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/msys2-clang.yml:26: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/msys2-clang.yml/main?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: | |
| | | | .github/workflows/msys2-clang.yml:27: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/msys2-clang.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/msys2.yml:32: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/msys2.yml/main?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/msys2.yml:33: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/msys2.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/on-release.yml:19: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/on-release.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/on-release.yml:34: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/on-release.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/s390x.yml:15: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/s390x.yml/main?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/s390x.yml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/s390x.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu20-cxx20.yml:11: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu20-cxx20.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu20-fastmath.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu20-fastmath.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu20.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu20.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22-clang.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu22-clang.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22-gcc12.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu22-gcc12.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22-sanitize.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu22-sanitize.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22.yml:9: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu22.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu24.yml:9: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/ubuntu24.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/vs17-arm-ci.yml:17: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/vs17-arm-ci.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/vs17-ci.yml:19: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/vs17-ci.yml/main?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/vs17-clang-ci.yml:19: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/vs17-clang-ci.yml/main?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/vs17-cxx20.yml:19: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/fastfloat/fast_float/vs17-cxx20.yml/main?enable=pin | |
| | | | Info: 1 out of 22 GitHub-owned GitHubAction dependencies pinned Info: 1 out of 7 third-party | |
| | | | GitHubAction dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | SAST | SAST tool is not run on all | Warn: 7 commits out of 21 are | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast |
| | | commits -- score normalized to | checked with a SAST tool | |
| | | 3 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security policy file | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy |
| | | | detected: SECURITY.md:1 | |
| | | | Info: Found linked content: | |
| | | | SECURITY.md:1 Info: Found | |
| | | | disclosure, vulnerability, | |
| | | | and/or timelines in security | |
| | | | policy: SECURITY.md:1 Info: | |
| | | | Found text in security policy: | |
| | | | SECURITY.md:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | Project has not signed or | Warn: release artifact v8.0.2 not signed: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases |
| | | included provenance with any | https://api.github.com/repos/fastfloat/fast_float/releases/205026388 | |
| | | releases. | Warn: release artifact v8.0.1 not signed: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/204731894 | |
| | | | Warn: release artifact v8.0.0 not signed: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/198955603 | |
| | | | Warn: release artifact v7.0.0 not signed: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/186711656 | |
| | | | Warn: release artifact v6.1.6 not signed: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/174022205 | |
| | | | Warn: release artifact v8.0.2 does not have provenance: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/205026388 | |
| | | | Warn: release artifact v8.0.1 does not have provenance: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/204731894 | |
| | | | Warn: release artifact v8.0.0 does not have provenance: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/198955603 | |
| | | | Warn: release artifact v7.0.0 does not have provenance: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/186711656 | |
| | | | Warn: release artifact v6.1.6 does not have provenance: | |
| | | | https://api.github.com/repos/fastfloat/fast_float/releases/174022205 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/alpine.yml:1 Warn: | |
| | | permissions | no topLevel permission defined: | |
| | | | .github/workflows/amalgamate-ubuntu20.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/cifuzz.yml:1 Info: | |
| | | | topLevel 'contents' permission set to 'read': | |
| | | | .github/workflows/lint_and_format_check.yml:17 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/msys2-clang.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/msys2.yml:1 Warn: | |
| | | | topLevel 'contents' permission set to | |
| | | | 'write': .github/workflows/on-release.yml:6 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/s390x.yml:1 Warn: | |
| | | | no topLevel permission defined: | |
| | | | .github/workflows/ubuntu20-cxx20.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu20-fastmath.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu20.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22-clang.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22-gcc12.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22-sanitize.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu24.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-arm-ci.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-ci.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-clang-ci.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-cxx20.yml:1 Info: no | |
| | | | jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
moderation
reviewed
Jul 15, 2025
Comment on lines
+1220
to
+1233
| fp16 = dict( | ||
| project_name = "FP16", | ||
| project_desc = "Conversion to/from half-precision floating point formats", | ||
| project_url = "https://github.com/Maratyszcza/FP16", | ||
| # Header-only library, using master branch | ||
| version = "master", | ||
| sha256 = "659f9c72c1ee1321fcf9a5215aa9e4524e877e62c36564c11765824ce3b89a58", | ||
| urls = ["https://github.com/Maratyszcza/FP16/archive/{version}.tar.gz"], | ||
| strip_prefix = "FP16-{version}", | ||
| use_category = ["dataplane_ext"], | ||
| extensions = ["envoy.wasm.runtime.v8"], | ||
| release_date = "2024-07-31", | ||
| cpe = "N/A", | ||
| ), |
Contributor
There was a problem hiding this comment.
./scorecard --show-details --repo github.com/Maratyszcza/FP16
RESULTS
-------
Aggregate score: 3.2 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | CI-Tests | 3 out of 8 merged PRs | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Code-Review | Found 5/30 approved changesets | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review |
| | | -- score normalized to 1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Contributors | project has 1 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors |
| | | companies or organizations -- | from: PeachPy | |
| | | score normalized to 3 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | Warn: no dependency update | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool |
| | | | tool configurations found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license |
| | | | file: LICENSE:0 Info: FSF or | |
| | | | OSI recognized license: MIT | |
| | | | License: LICENSE:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Maintained | 0 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/cmake.yml:129: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:168: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:104: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:143: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:157: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:182: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:18: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:33: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:51: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:72: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:93: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/cmake.yml:118: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/Maratyszcza/FP16/cmake.yml/master?enable=pin | |
| | | | Info: 0 out of 12 GitHub-owned GitHubAction dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | Warn: 0 commits out of 8 are | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast |
| | | commits -- score normalized to | checked with a SAST tool | |
| | | 0 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | Warn: no security policy file | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy |
| | | detected | detected Warn: no security | |
| | | | file to analyze Warn: no | |
| | | | security file to analyze Warn: | |
| | | | no security file to analyze | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions |
| | | tokens with excessive | permission defined: | |
| | | permissions | .github/workflows/cmake.yml:1 | |
| | | | Info: no jobLevel write | |
| | | | permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
moderation
reviewed
Jul 15, 2025
Comment on lines
+1234
to
+1246
| intel_ittapi = dict( | ||
| project_name = "Intel ITT API", | ||
| project_desc = "Intel Instrumentation and Tracing Technology API", | ||
| project_url = "https://github.com/intel/ittapi", | ||
| version = "a3911fff01a775023a06af8754f9ec1e5977dd97", | ||
| sha256 = "1d0dddfc5abb786f2340565c82c6edd1cff10c917616a18ce62ee0b94dbc2ed4", | ||
| urls = ["https://github.com/intel/ittapi/archive/{version}.tar.gz"], | ||
| strip_prefix = "ittapi-{version}", | ||
| use_category = ["dataplane_ext"], | ||
| extensions = ["envoy.wasm.runtime.v8"], | ||
| release_date = "2024-10-25", | ||
| cpe = "N/A", | ||
| ), |
Contributor
There was a problem hiding this comment.
./scorecard --show-details --repo github.com/intel/ittapi
RESULTS
-------
Aggregate score: 7.8 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Branch-Protection | branch protection is not | Info: 'allow deletion' | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection |
| | | maximal on development and all | disabled on branch 'master' | |
| | | release branches | Info: 'force pushes' disabled | |
| | | | on branch 'master' Info: | |
| | | | 'branch protection settings | |
| | | | apply to administrators' is | |
| | | | required to merge on branch | |
| | | | 'master' Warn: required | |
| | | | approving review count is | |
| | | | 1 on branch 'master' Warn: | |
| | | | codeowners review is not | |
| | | | required on branch 'master' | |
| | | | Warn: no status checks found | |
| | | | to merge onto branch 'master' | |
| | | | Info: PRs are required in | |
| | | | order to make changes on | |
| | | | branch 'master' | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10 | CI-Tests | 26 out of 30 merged PRs | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 8 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 2 / 10 | CII-Best-Practices | badge detected: InProgress | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Code-Review | all changesets reviewed | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 3 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors |
| | | companies or organizations -- | from: bytecodealliance, intel, | |
| | | score normalized to 10 | owncloud | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dependency-Update-Tool | update tool detected | Info: detected update | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool |
| | | | tool: Dependabot: | |
| | | | .github/dependabot.yml:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | Warn: no fuzzer integrations | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing |
| | | | found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license |
| | | | a license file: | |
| | | | LICENSES/BSD-3-Clause.txt:0 | |
| | | | Info: FSF or OSI recognized | |
| | | | license: BSD 3-Clause | |
| | | | "New" or "Revised" License: | |
| | | | LICENSES/BSD-3-Clause.txt:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 6 / 10 | Maintained | 8 commit(s) and 0 issue | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 6 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Packaging | packaging workflow detected | Info: Project packages | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging |
| | | | its releases by way | |
| | | | of GitHub Actions.: | |
| | | | .github/workflows/release.yml:125 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 7 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: pipCommand not pinned by hash: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/deploy-docs.yml:24 | |
| | | to 7 | Warn: pipCommand not pinned by hash: | |
| | | | .github/workflows/deploy-docs.yml:25 | |
| | | | Warn: pipCommand not pinned by | |
| | | | hash: .github/workflows/main.yml:113 | |
| | | | Warn: pipCommand not pinned by hash: | |
| | | | .github/workflows/release.yml:63 | |
| | | | Info: 23 out of 23 GitHub-owned | |
| | | | GitHubAction dependencies pinned | |
| | | | Info: 7 out of 7 third-party | |
| | | | GitHubAction dependencies pinned | |
| | | | Info: 0 out of 4 pipCommand | |
| | | | dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | SAST | SAST tool detected but not run | Info: SAST configuration | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast |
| | | on all commits | detected: CodeQL Warn: 26 | |
| | | | commits out of 30 are checked | |
| | | | with a SAST tool | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security policy file | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy |
| | | | detected: SECURITY.md:1 | |
| | | | Info: Found linked content: | |
| | | | SECURITY.md:1 Info: Found | |
| | | | disclosure, vulnerability, | |
| | | | and/or timelines in security | |
| | | | policy: SECURITY.md:1 Info: | |
| | | | Found text in security policy: | |
| | | | SECURITY.md:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | Project has not signed or | Warn: release artifact v3.26.2 not signed: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases |
| | | included provenance with any | https://api.github.com/repos/intel/ittapi/releases/227042543 | |
| | | releases. | Warn: release artifact v3.26.1 not signed: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/216594023 | |
| | | | Warn: release artifact v3.26.0 not signed: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/216548973 | |
| | | | Warn: release artifact v3.25.5 not signed: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/202131831 | |
| | | | Warn: release artifact v3.25.4 not signed: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/194641855 | |
| | | | Warn: release artifact v3.26.2 does not have provenance: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/227042543 | |
| | | | Warn: release artifact v3.26.1 does not have provenance: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/216594023 | |
| | | | Warn: release artifact v3.26.0 does not have provenance: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/216548973 | |
| | | | Warn: release artifact v3.25.5 does not have provenance: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/202131831 | |
| | | | Warn: release artifact v3.25.4 does not have provenance: | |
| | | | https://api.github.com/repos/intel/ittapi/releases/194641855 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions | GitHub workflow tokens follow | Info: jobLevel 'actions' | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions |
| | | principle of least privilege | permission set to 'read': | |
| | | | .github/workflows/codeql.yml:20 | |
| | | | Info: jobLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/codeql.yml:21 | |
| | | | Info: jobLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/codeql.yml:62 | |
| | | | Warn: jobLevel 'contents' | |
| | | | permission set to 'write': | |
| | | | .github/workflows/release.yml:76 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/codeql.yml:13 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/deploy-docs.yml:11 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/main.yml:13 | |
| | | | Info: topLevel 'contents' | |
| | | | permission set to 'read': | |
| | | | .github/workflows/release.yml:9 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
moderation
reviewed
Jul 15, 2025
Comment on lines
+1247
to
+1260
| simdutf = dict( | ||
| project_name = "simdutf", | ||
| project_desc = "Unicode validation and transcoding at billions of characters per second", | ||
| project_url = "https://github.com/simdutf/simdutf", | ||
| # Same version as used by V8 | ||
| version = "6.1.0", | ||
| sha256 = "ef2903a7f085090c58f3acfa93a62733ae92a3f9b1d50800edec77a6816d7d67", | ||
| urls = ["https://github.com/simdutf/simdutf/archive/refs/tags/v{version}.tar.gz"], | ||
| strip_prefix = "simdutf-{version}", | ||
| use_category = ["dataplane_ext"], | ||
| extensions = ["envoy.wasm.runtime.v8"], | ||
| release_date = "2024-10-25", | ||
| cpe = "N/A", | ||
| ), |
Contributor
There was a problem hiding this comment.
./scorecard --show-details --repo github.com/simdutf/simdutf
RESULTS
-------
Aggregate score: 5.3 / 10
Check scores:
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Branch-Protection | branch protection not enabled | Warn: branch protection not | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection |
| | | on development/release | enabled for branch 'master' | |
| | | branches | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10 | CI-Tests | 16 out of 18 merged PRs | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 8 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | Code-Review | Found 11/30 approved | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review |
| | | changesets -- score normalized | |
| | | to 3 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | project has 23 contributing | Info: found contributions | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors |
| | | companies or organizations | from: FastFilter, | |
| | | | RoaringBitmap, ada-url, | |
| | | | bits-and-blooms, cloudflare, | |
| | | | cloudflare-whatwg, fast-pack, | |
| | | | fastfloat, flarelabs-net, | |
| | | | h3js, malijs, nodejs, | |
| | | | openjs-foundation, pkgjs, | |
| | | | pnpm, primus, relevantfruit, | |
| | | | simdjson, simdutf, université | |
| | | | du québec (teluq), unshiftio, | |
| | | | web-platform-tests, websockets | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Dangerous-Workflow | no dangerous workflow patterns | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | Warn: no dependency update | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool |
| | | | tool configurations found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Fuzzing | project is fuzzed | Info: OSSFuzz integration | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing |
| | | | found Info: CppLibFuzzer | |
| | | | integration found: | |
| | | | fuzz/atomic_base64.cpp:391 | |
| | | | Info: CppLibFuzzer integration | |
| | | | found: fuzz/base64.cpp:162 | |
| | | | Info: CppLibFuzzer integration | |
| | | | found: fuzz/conversion.cpp:639 | |
| | | | Info: CppLibFuzzer integration | |
| | | | found: fuzz/main.cpp:14 Info: | |
| | | | CppLibFuzzer integration | |
| | | | found: fuzz/main.cpp:31 Info: | |
| | | | CppLibFuzzer integration | |
| | | | found: fuzz/misc.cpp:156 | |
| | | | Info: CppLibFuzzer integration | |
| | | | found: fuzz/roundtrip.cpp:28 | |
| | | | Info: CppLibFuzzer integration | |
| | | | found: fuzz/roundtrip.cpp:588 | |
| | | | Info: CppLibFuzzer | |
| | | | integration found: | |
| | | | tests/random_fuzzer.cpp:680 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | License | license file detected | Info: project has a license | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license |
| | | | file: LICENSE-APACHE:0 | |
| | | | Info: FSF or OSI recognized | |
| | | | license: Apache License 2.0: | |
| | | | LICENSE-APACHE:0 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) and 26 issue | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained |
| | | activity found in the last 90 | |
| | | days -- score normalized to 10 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | packaging workflow not | Warn: no GitHub/GitLab | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging |
| | | detected | publishing workflow detected. | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Pinned-Dependencies | dependency not pinned by hash | Warn: GitHub-owned GitHubAction not pinned by hash: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies |
| | | detected -- score normalized | .github/workflows/aarch64.yml:15: update your workflow using | |
| | | to 0 | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/aarch64.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/aarch64.yml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/aarch64.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/alpine.yml:9: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/alpine.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/armv7.yml:15: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/armv7.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/armv7.yml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/armv7.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/atomic_fuzz.yml:18: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/atomic_fuzz.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:13: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/cifuzz.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:18: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/cifuzz.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:25: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/cifuzz.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/cifuzz.yml:32: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/cifuzz.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/clangformat.yml:14: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/clangformat.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/clangformat.yml:32: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/clangformat.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/debian.yml:19: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/debian.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/documentation.yml:21: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/documentation.yml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: | |
| | | | .github/workflows/documentation.yml:27: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/documentation.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/loongarch64-gcc-14.2.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/loongarch64-gcc-14.2.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/macos-latest.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/macos-latest.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/msys2-clang.yml:38: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/msys2-clang.yml/master?enable=pin | |
| | | | Warn: third-party GitHubAction not pinned by hash: | |
| | | | .github/workflows/msys2-clang.yml:39: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/msys2-clang.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/msys2.yml:38: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/msys2.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/msys2.yml:39: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/msys2.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/ppc64le.yml:15: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ppc64le.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/ppc64le.yml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ppc64le.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/rvv-1024-clang-18.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/rvv-1024-clang-18.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/rvv-128-clang-17.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/rvv-128-clang-17.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/rvv-256-gcc-14.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/rvv-256-gcc-14.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/s390x.yml:15: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/s390x.yml/master?enable=pin Warn: | |
| | | | third-party GitHubAction not pinned by hash: .github/workflows/s390x.yml:16: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/s390x.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22-cxx20.yml:20: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu22-cxx20.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu22.yml:22: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu22.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22_gcc12.yml:20: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu22_gcc12.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu22sani.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu22sani.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu24.yml:22: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu24.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu24sani.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu24sani.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/ubuntu24sani_clang.yml:15: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/ubuntu24sani_clang.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/vs17-arm-ci.yml:17: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/vs17-arm-ci.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/vs17-ci-cxx20.yml:19: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/vs17-ci-cxx20.yml/master?enable=pin Warn: | |
| | | | GitHub-owned GitHubAction not pinned by hash: .github/workflows/vs17-ci.yml:19: update your workflow | |
| | | | using https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/vs17-ci.yml/master?enable=pin | |
| | | | Warn: GitHub-owned GitHubAction not pinned by hash: | |
| | | | .github/workflows/vs17-clang-ci.yml:19: update your workflow using | |
| | | | https://app.stepsecurity.io/secureworkflow/simdutf/simdutf/vs17-clang-ci.yml/master?enable=pin Warn: | |
| | | | containerImage not pinned by hash: riscv/Dockerfile:1: pin your Docker image by updating ubuntu:24.04 | |
| | | | to ubuntu:24.04@sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 Warn: | |
| | | | containerImage not pinned by hash: scripts/docker/Dockerfile:1: pin your Docker image by updating | |
| | | | ubuntu:24.04 to ubuntu:24.04@sha256:440dcf6a5640b2ae5c77724e68787a906afb8ddee98bf86db94eea8528c2c076 | |
| | | | Info: 3 out of 33 GitHub-owned GitHubAction dependencies pinned Info: 1 out of 10 third-party | |
| | | | GitHubAction dependencies pinned Info: 0 out of 2 containerImage dependencies pinned | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 3 / 10 | SAST | SAST tool is not run on all | Warn: 6 commits out of 18 are | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast |
| | | commits -- score normalized to | checked with a SAST tool | |
| | | 3 | | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Security-Policy | security policy file detected | Info: security policy file | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy |
| | | | detected: SECURITY.md:1 | |
| | | | Info: Found linked content: | |
| | | | SECURITY.md:1 Info: Found | |
| | | | disclosure, vulnerability, | |
| | | | and/or timelines in security | |
| | | | policy: SECURITY.md:1 Info: | |
| | | | Found text in security policy: | |
| | | | SECURITY.md:1 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Signed-Releases | Project has not signed or | Warn: release artifact v7.3.3 not signed: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases |
| | | included provenance with any | https://api.github.com/repos/simdutf/simdutf/releases/232059391 | |
| | | releases. | Warn: release artifact v7.3.2 not signed: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/227883535 | |
| | | | Warn: release artifact v7.3.1 not signed: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/226011765 | |
| | | | Warn: release artifact v7.3.0 not signed: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/221691155 | |
| | | | Warn: release artifact v7.2.1 not signed: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/221261989 | |
| | | | Warn: release artifact v7.3.3 does not have provenance: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/232059391 | |
| | | | Warn: release artifact v7.3.2 does not have provenance: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/227883535 | |
| | | | Warn: release artifact v7.3.1 does not have provenance: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/226011765 | |
| | | | Warn: release artifact v7.3.0 does not have provenance: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/221691155 | |
| | | | Warn: release artifact v7.2.1 does not have provenance: | |
| | | | https://api.github.com/repos/simdutf/simdutf/releases/221261989 | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Token-Permissions | detected GitHub workflow | Warn: no topLevel permission defined: | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions |
| | | tokens with excessive | .github/workflows/aarch64.yml:1 | |
| | | permissions | Warn: no topLevel permission defined: | |
| | | | .github/workflows/alpine.yml:1 Warn: | |
| | | | no topLevel permission defined: | |
| | | | .github/workflows/armv7.yml:1 Warn: | |
| | | | no topLevel permission defined: | |
| | | | .github/workflows/atomic_fuzz.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/cifuzz.yml:1 Warn: | |
| | | | no topLevel permission defined: | |
| | | | .github/workflows/clangformat.yml:1 Info: | |
| | | | topLevel 'contents' permission set to | |
| | | | 'read': .github/workflows/debian.yml:10 | |
| | | | Warn: topLevel 'contents' | |
| | | | permission set to 'write': | |
| | | | .github/workflows/documentation.yml:10 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/emscripten.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/loongarch64-gcc-14.2.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/macos-latest.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/msys2-clang.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/msys2.yml:1 Warn: | |
| | | | no topLevel permission defined: | |
| | | | .github/workflows/ppc64le.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/rvv-1024-clang-18.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/rvv-128-clang-17.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/rvv-256-gcc-14.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/s390x.yml:1 Warn: | |
| | | | no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22-cxx20.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22_gcc12.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu22sani.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu24.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu24sani.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/ubuntu24sani_clang.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-arm-ci.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-ci-cxx20.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-ci.yml:1 | |
| | | | Warn: no topLevel permission defined: | |
| | | | .github/workflows/vs17-clang-ci.yml:1 Info: | |
| | | | no jobLevel write permissions found | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | 0 existing vulnerabilities | https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities |
| | | detected | |
|---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
moderation
reviewed
Jul 15, 2025
Contributor
moderation
left a comment
There was a problem hiding this comment.
A lot of new external dependencies, some with poor to average OSSF Scorecard scores.
Contributor
|
I agree it is a mess with deps. We will evaluate this dep next week internally. Also there is someone at Google that is going through this update right now, so please hold off on this one to not duplicate the effort. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]