OpenSSF Scorecard: detailed baseline findings
Date: 2026-05-19
Aggregate score: 5.0 / 10
Commit: 628508a70f66
Scorecard version: v5.5.0
Tracking issue: vergil-project/vergil-tooling#828
Scores by check
| Score |
Check |
Reason |
| ⚪ -1/10 |
Packaging |
packaging workflow not detected |
| 🔴 0/10 |
CII-Best-Practices |
no effort to earn an OpenSSF best practices badge detected |
| 🔴 0/10 |
Code-Review |
Found 0/25 approved changesets |
| 🔴 0/10 |
Contributors |
project has 0 contributing companies or organizations |
| 🔴 0/10 |
Dependency-Update-Tool |
no update tool detected |
| 🔴 0/10 |
Fuzzing |
project is not fuzzed |
| 🔴 0/10 |
Pinned-Dependencies |
dependency not pinned by hash detected |
| 🔴 0/10 |
Signed-Releases |
Project has not signed or included provenance with any releases. |
| 🔴 0/10 |
Token-Permissions |
detected GitHub workflow tokens with excessive permissions |
| 🔴 4/10 |
Branch-Protection |
branch protection is not maximal on development and all release branches |
| 🟢 10/10 |
Binary-Artifacts |
no binaries found in the repo |
| 🟢 10/10 |
CI-Tests |
25 out of 25 merged PRs checked by a CI test |
| 🟢 10/10 |
Dangerous-Workflow |
no dangerous workflow patterns detected |
| 🟢 10/10 |
License |
license file detected |
| 🟢 10/10 |
Maintained |
30 commit(s) and 30 issue activity found in the last 90 days |
| 🟢 10/10 |
SAST |
SAST tool is run on all commits |
| 🟢 10/10 |
Security-Policy |
security policy file detected |
| 🟢 10/10 |
Vulnerabilities |
0 existing vulnerabilities detected |
Detailed findings
Packaging (-1/10)
Reason: packaging workflow not detected
Warnings:
no GitHub/GitLab publishing workflow detected.
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#packaging
CII-Best-Practices (0/10)
Reason: no effort to earn an OpenSSF best practices badge detected
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#cii-best-practices
Code-Review (0/10)
Reason: Found 0/25 approved changesets -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#code-review
Contributors (0/10)
Reason: project has 0 contributing companies or organizations -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#contributors
Dependency-Update-Tool (0/10)
Reason: no update tool detected
Warnings:
no dependency update tool configurations found
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#dependency-update-tool
Fuzzing (0/10)
Reason: project is not fuzzed
Warnings:
no fuzzer integrations found
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#fuzzing
Pinned-Dependencies (0/10)
Reason: dependency not pinned by hash detected -- score normalized to 0
Warnings:
third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/cd.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/cd.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
Info details (2 items)
0 out of 2 GitHub-owned GitHubAction dependencies pinned
0 out of 8 third-party GitHubAction dependencies pinned
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#pinned-dependencies
Signed-Releases (0/10)
Reason: Project has not signed or included provenance with any releases.
Warnings:
release artifact v1.2.1 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/292135019
release artifact v1.2.0 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/290062482
release artifact v1.1.7 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289524979
release artifact v1.1.6 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289026104
release artifact v1.1.4 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/287237627
release artifact v1.2.1 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/292135019
release artifact v1.2.0 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/290062482
release artifact v1.1.7 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289524979
release artifact v1.1.6 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289026104
release artifact v1.1.4 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/287237627
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#signed-releases
Token-Permissions (0/10)
Reason: detected GitHub workflow tokens with excessive permissions
Warnings:
jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:24
jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:99
topLevel 'contents' permission set to 'write': .github/workflows/cd.yml:11
Info details (2 items)
jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:98
topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:28
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#token-permissions
Branch-Protection (4/10)
Reason: branch protection is not maximal on development and all release branches
Warnings:
branch 'develop' does not require approvers
codeowners review is not required on branch 'develop'
'last push approval' is disabled on branch 'develop'
Info details (7 items)
'allow deletion' disabled on branch 'develop'
'force pushes' disabled on branch 'develop'
'branch protection settings apply to administrators' is required to merge on branch 'develop'
'stale review dismissal' is required to merge on branch 'develop'
'up-to-date branches' is required to merge on branch 'develop'
status check found to merge onto on branch 'develop'
PRs are required in order to make changes on branch 'develop'
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#branch-protection
OpenSSF Scorecard: detailed baseline findings
Date: 2026-05-19
Aggregate score: 5.0 / 10
Commit:
628508a70f66Scorecard version: v5.5.0
Tracking issue: vergil-project/vergil-tooling#828
Scores by check
Detailed findings
Packaging (-1/10)
Reason: packaging workflow not detected
Warnings:
no GitHub/GitLab publishing workflow detected.Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#packaging
CII-Best-Practices (0/10)
Reason: no effort to earn an OpenSSF best practices badge detected
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#cii-best-practices
Code-Review (0/10)
Reason: Found 0/25 approved changesets -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#code-review
Contributors (0/10)
Reason: project has 0 contributing companies or organizations -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#contributors
Dependency-Update-Tool (0/10)
Reason: no update tool detected
Warnings:
no dependency update tool configurations foundDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#dependency-update-tool
Fuzzing (0/10)
Reason: project is not fuzzed
Warnings:
no fuzzer integrations foundDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#fuzzing
Pinned-Dependencies (0/10)
Reason: dependency not pinned by hash detected -- score normalized to 0
Warnings:
third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/cd.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/cd.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/cd.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinGitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinGitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pinInfo details (2 items)
0 out of 2 GitHub-owned GitHubAction dependencies pinned0 out of 8 third-party GitHubAction dependencies pinnedDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#pinned-dependencies
Signed-Releases (0/10)
Reason: Project has not signed or included provenance with any releases.
Warnings:
release artifact v1.2.1 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/292135019release artifact v1.2.0 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/290062482release artifact v1.1.7 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289524979release artifact v1.1.6 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289026104release artifact v1.1.4 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/287237627release artifact v1.2.1 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/292135019release artifact v1.2.0 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/290062482release artifact v1.1.7 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289524979release artifact v1.1.6 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289026104release artifact v1.1.4 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/287237627Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#signed-releases
Token-Permissions (0/10)
Reason: detected GitHub workflow tokens with excessive permissions
Warnings:
jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:24jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:99topLevel 'contents' permission set to 'write': .github/workflows/cd.yml:11Info details (2 items)
jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:98topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:28Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#token-permissions
Branch-Protection (4/10)
Reason: branch protection is not maximal on development and all release branches
Warnings:
branch 'develop' does not require approverscodeowners review is not required on branch 'develop''last push approval' is disabled on branch 'develop'Info details (7 items)
'allow deletion' disabled on branch 'develop''force pushes' disabled on branch 'develop''branch protection settings apply to administrators' is required to merge on branch 'develop''stale review dismissal' is required to merge on branch 'develop''up-to-date branches' is required to merge on branch 'develop'status check found to merge onto on branch 'develop'PRs are required in order to make changes on branch 'develop'Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#branch-protection