Skip to content

OpenSSF Scorecard: detailed baseline findings (2026-05-19) #304

Description

@wphillipmoore

OpenSSF Scorecard: detailed baseline findings

Date: 2026-05-19
Aggregate score: 5.0 / 10
Commit: 628508a70f66
Scorecard version: v5.5.0
Tracking issue: vergil-project/vergil-tooling#828

Scores by check

Score Check Reason
⚪ -1/10 Packaging packaging workflow not detected
🔴 0/10 CII-Best-Practices no effort to earn an OpenSSF best practices badge detected
🔴 0/10 Code-Review Found 0/25 approved changesets
🔴 0/10 Contributors project has 0 contributing companies or organizations
🔴 0/10 Dependency-Update-Tool no update tool detected
🔴 0/10 Fuzzing project is not fuzzed
🔴 0/10 Pinned-Dependencies dependency not pinned by hash detected
🔴 0/10 Signed-Releases Project has not signed or included provenance with any releases.
🔴 0/10 Token-Permissions detected GitHub workflow tokens with excessive permissions
🔴 4/10 Branch-Protection branch protection is not maximal on development and all release branches
🟢 10/10 Binary-Artifacts no binaries found in the repo
🟢 10/10 CI-Tests 25 out of 25 merged PRs checked by a CI test
🟢 10/10 Dangerous-Workflow no dangerous workflow patterns detected
🟢 10/10 License license file detected
🟢 10/10 Maintained 30 commit(s) and 30 issue activity found in the last 90 days
🟢 10/10 SAST SAST tool is run on all commits
🟢 10/10 Security-Policy security policy file detected
🟢 10/10 Vulnerabilities 0 existing vulnerabilities detected

Detailed findings

Packaging (-1/10)

Reason: packaging workflow not detected

Warnings:

  • no GitHub/GitLab publishing workflow detected.

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#packaging

CII-Best-Practices (0/10)

Reason: no effort to earn an OpenSSF best practices badge detected

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#cii-best-practices

Code-Review (0/10)

Reason: Found 0/25 approved changesets -- score normalized to 0

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#code-review

Contributors (0/10)

Reason: project has 0 contributing companies or organizations -- score normalized to 0

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#contributors

Dependency-Update-Tool (0/10)

Reason: no update tool detected

Warnings:

  • no dependency update tool configurations found

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#dependency-update-tool

Fuzzing (0/10)

Reason: project is not fuzzed

Warnings:

  • no fuzzer integrations found

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#fuzzing

Pinned-Dependencies (0/10)

Reason: dependency not pinned by hash detected -- score normalized to 0

Warnings:

  • third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/cd.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/cd.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
  • third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-java/ci.yml/develop?enable=pin
Info details (2 items)
  • 0 out of 2 GitHub-owned GitHubAction dependencies pinned
  • 0 out of 8 third-party GitHubAction dependencies pinned

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#pinned-dependencies

Signed-Releases (0/10)

Reason: Project has not signed or included provenance with any releases.

Warnings:

  • release artifact v1.2.1 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/292135019
  • release artifact v1.2.0 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/290062482
  • release artifact v1.1.7 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289524979
  • release artifact v1.1.6 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289026104
  • release artifact v1.1.4 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/287237627
  • release artifact v1.2.1 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/292135019
  • release artifact v1.2.0 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/290062482
  • release artifact v1.1.7 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289524979
  • release artifact v1.1.6 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/289026104
  • release artifact v1.1.4 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-java/releases/287237627

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#signed-releases

Token-Permissions (0/10)

Reason: detected GitHub workflow tokens with excessive permissions

Warnings:

  • jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:24
  • jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:99
  • topLevel 'contents' permission set to 'write': .github/workflows/cd.yml:11
Info details (2 items)
  • jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:98
  • topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:28

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#token-permissions

Branch-Protection (4/10)

Reason: branch protection is not maximal on development and all release branches

Warnings:

  • branch 'develop' does not require approvers
  • codeowners review is not required on branch 'develop'
  • 'last push approval' is disabled on branch 'develop'
Info details (7 items)
  • 'allow deletion' disabled on branch 'develop'
  • 'force pushes' disabled on branch 'develop'
  • 'branch protection settings apply to administrators' is required to merge on branch 'develop'
  • 'stale review dismissal' is required to merge on branch 'develop'
  • 'up-to-date branches' is required to merge on branch 'develop'
  • status check found to merge onto on branch 'develop'
  • PRs are required in order to make changes on branch 'develop'

Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#branch-protection

Metadata

Metadata

Assignees

No one assigned

    Labels

    triageUncurated intake; not yet folded into the epic/task model

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions