OpenSSF Scorecard: detailed baseline findings
Date: 2026-05-19
Aggregate score: 5.0 / 10
Commit: 037773502b74
Scorecard version: v5.5.0
Tracking issue: vergil-project/vergil-tooling#828
Scores by check
| Score |
Check |
Reason |
| ⚪ -1/10 |
Packaging |
packaging workflow not detected |
| 🔴 0/10 |
CII-Best-Practices |
no effort to earn an OpenSSF best practices badge detected |
| 🔴 0/10 |
Code-Review |
Found 0/25 approved changesets |
| 🔴 0/10 |
Contributors |
project has 0 contributing companies or organizations |
| 🔴 0/10 |
Dependency-Update-Tool |
no update tool detected |
| 🔴 0/10 |
Fuzzing |
project is not fuzzed |
| 🔴 0/10 |
Pinned-Dependencies |
dependency not pinned by hash detected |
| 🔴 0/10 |
Signed-Releases |
Project has not signed or included provenance with any releases. |
| 🔴 0/10 |
Token-Permissions |
detected GitHub workflow tokens with excessive permissions |
| 🔴 4/10 |
Branch-Protection |
branch protection is not maximal on development and all release branches |
| 🟡 9/10 |
Vulnerabilities |
1 existing vulnerabilities detected |
| 🟢 10/10 |
Binary-Artifacts |
no binaries found in the repo |
| 🟢 10/10 |
CI-Tests |
25 out of 25 merged PRs checked by a CI test |
| 🟢 10/10 |
Dangerous-Workflow |
no dangerous workflow patterns detected |
| 🟢 10/10 |
License |
license file detected |
| 🟢 10/10 |
Maintained |
30 commit(s) and 30 issue activity found in the last 90 days |
| 🟢 10/10 |
SAST |
SAST tool is run on all commits |
| 🟢 10/10 |
Security-Policy |
security policy file detected |
Detailed findings
Packaging (-1/10)
Reason: packaging workflow not detected
Warnings:
no GitHub/GitLab publishing workflow detected.
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#packaging
CII-Best-Practices (0/10)
Reason: no effort to earn an OpenSSF best practices badge detected
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#cii-best-practices
Code-Review (0/10)
Reason: Found 0/25 approved changesets -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#code-review
Contributors (0/10)
Reason: project has 0 contributing companies or organizations -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#contributors
Dependency-Update-Tool (0/10)
Reason: no update tool detected
Warnings:
no dependency update tool configurations found
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#dependency-update-tool
Fuzzing (0/10)
Reason: project is not fuzzed
Warnings:
no fuzzer integrations found
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#fuzzing
Pinned-Dependencies (0/10)
Reason: dependency not pinned by hash detected -- score normalized to 0
Warnings:
third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/cd.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/cd.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/cd.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinGitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pin
Info details (2 items)
0 out of 1 GitHub-owned GitHubAction dependencies pinned0 out of 9 third-party GitHubAction dependencies pinned
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#pinned-dependencies
Signed-Releases (0/10)
Reason: Project has not signed or included provenance with any releases.
Warnings:
release artifact v1.2.2 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292113730release artifact v1.2.1 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292088251release artifact v1.2.0 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/290056680release artifact v1.1.11 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289524223release artifact v1.1.10 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289016990release artifact v1.2.2 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292113730release artifact v1.2.1 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292088251release artifact v1.2.0 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/290056680release artifact v1.1.11 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289524223release artifact v1.1.10 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289016990
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#signed-releases
Token-Permissions (0/10)
Reason: detected GitHub workflow tokens with excessive permissions
Warnings:
jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:25jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:100topLevel 'contents' permission set to 'write': .github/workflows/cd.yml:11
Info details (2 items)
jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:99topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:16
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#token-permissions
Branch-Protection (4/10)
Reason: branch protection is not maximal on development and all release branches
Warnings:
branch 'develop' does not require approverscodeowners review is not required on branch 'develop''last push approval' is disabled on branch 'develop'
Info details (7 items)
'allow deletion' disabled on branch 'develop''force pushes' disabled on branch 'develop''branch protection settings apply to administrators' is required to merge on branch 'develop''stale review dismissal' is required to merge on branch 'develop''up-to-date branches' is required to merge on branch 'develop'status check found to merge onto on branch 'develop'PRs are required in order to make changes on branch 'develop'
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#branch-protection
Vulnerabilities (9/10)
Reason: 1 existing vulnerabilities detected
Warnings:
Project is vulnerable to: https://osv.dev/GHSA-65pc-fj4g-8rjx
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#vulnerabilities
OpenSSF Scorecard: detailed baseline findings
Date: 2026-05-19
Aggregate score: 5.0 / 10
Commit:
037773502b74Scorecard version: v5.5.0
Tracking issue: vergil-project/vergil-tooling#828
Scores by check
Detailed findings
Packaging (-1/10)
Reason: packaging workflow not detected
Warnings:
no GitHub/GitLab publishing workflow detected.Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#packaging
CII-Best-Practices (0/10)
Reason: no effort to earn an OpenSSF best practices badge detected
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#cii-best-practices
Code-Review (0/10)
Reason: Found 0/25 approved changesets -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#code-review
Contributors (0/10)
Reason: project has 0 contributing companies or organizations -- score normalized to 0
Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#contributors
Dependency-Update-Tool (0/10)
Reason: no update tool detected
Warnings:
no dependency update tool configurations foundDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#dependency-update-tool
Fuzzing (0/10)
Reason: project is not fuzzed
Warnings:
no fuzzer integrations foundDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#fuzzing
Pinned-Dependencies (0/10)
Reason: dependency not pinned by hash detected -- score normalized to 0
Warnings:
third-party GitHubAction not pinned by hash: .github/workflows/cd.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/cd.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/cd.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/cd.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:109: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinGitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:87: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinthird-party GitHubAction not pinned by hash: .github/workflows/ci.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/mq-rest-admin-project/mq-rest-admin-python/ci.yml/develop?enable=pinInfo details (2 items)
0 out of 1 GitHub-owned GitHubAction dependencies pinned0 out of 9 third-party GitHubAction dependencies pinnedDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#pinned-dependencies
Signed-Releases (0/10)
Reason: Project has not signed or included provenance with any releases.
Warnings:
release artifact v1.2.2 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292113730release artifact v1.2.1 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292088251release artifact v1.2.0 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/290056680release artifact v1.1.11 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289524223release artifact v1.1.10 not signed: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289016990release artifact v1.2.2 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292113730release artifact v1.2.1 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/292088251release artifact v1.2.0 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/290056680release artifact v1.1.11 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289524223release artifact v1.1.10 does not have provenance: https://api.github.com/repos/mq-rest-admin-project/mq-rest-admin-python/releases/289016990Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#signed-releases
Token-Permissions (0/10)
Reason: detected GitHub workflow tokens with excessive permissions
Warnings:
jobLevel 'contents' permission set to 'write': .github/workflows/cd.yml:25jobLevel 'security-events' permission set to 'write': .github/workflows/ci.yml:100topLevel 'contents' permission set to 'write': .github/workflows/cd.yml:11Info details (2 items)
jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:99topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:16Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#token-permissions
Branch-Protection (4/10)
Reason: branch protection is not maximal on development and all release branches
Warnings:
branch 'develop' does not require approverscodeowners review is not required on branch 'develop''last push approval' is disabled on branch 'develop'Info details (7 items)
'allow deletion' disabled on branch 'develop''force pushes' disabled on branch 'develop''branch protection settings apply to administrators' is required to merge on branch 'develop''stale review dismissal' is required to merge on branch 'develop''up-to-date branches' is required to merge on branch 'develop'status check found to merge onto on branch 'develop'PRs are required in order to make changes on branch 'develop'Documentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#branch-protection
Vulnerabilities (9/10)
Reason: 1 existing vulnerabilities detected
Warnings:
Project is vulnerable to: https://osv.dev/GHSA-65pc-fj4g-8rjxDocumentation: https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#vulnerabilities