GitHub Actions Score

Score

The actions security score. The highest rating is 10.

License

Verifies the presence of a published license in standard locations. A clear license is crucial for security reviews, audits, and mitigating legal risks for users.

Maintained

Project activity is assessed based on recent commits and issue engagement. Active maintenance is crucial for ongoing security and functionality.

Vulnerabilities

Dependencies are monitored for vulnerabilities and updated periodically to address identified issues promptly.

Branch protection

Checks if default and release branches are protected using GitHub’s branch protection or repository rules. Ensures defined workflows, such as required reviews or status checks, are enforced before merging.

Manual code review

Verifies that code changes are reviewed by at least one person other than the author. This practice enhances code quality and security through additional oversight.

Secure publishinng

Verifies that secure deployment practices are in place, including deployment review, reproducible builds, and generation of SBOM and provenance.

Signed commits

All code contributions are made with signed commits, enforced through branch protection to ensure code authenticity and integrity.

Automated security tools

Verifies the use of automated tools like SAST, SCA, and security scorecards on each change and periodically. Checks if responses are triaged promptly to maintain security standards.

Popular

Checks if the action is widely used by other open source projects. Higher usage can indicate community trust and more thorough vetting.

Security policy

Verifies the presence of a SECURITY.md file in standard locations. This policy provides secure reporting methods, ensuring responsible disclosure.