Skip to content

Project Update #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 4, 2025
Merged

Project Update #113

merged 3 commits into from
Sep 4, 2025

Conversation

GeekMasher
Copy link
Contributor

No description provided.

@Copilot Copilot AI review requested due to automatic review settings September 4, 2025 13:44
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 4, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
pip/ghastoolkit <= 0.17 🟢 7.2
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1010 out of 10 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review⚠️ 1found 7 unreviewed changesets out of 8 -- score normalized to 1
Contributors🟢 31 different organizations found -- score normalized to 3
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1030 commit(s) out of 30 and 5 issue activity out of 6 found in the last 90 days -- score normalized to 10
Packaging🟢 10publishing workflow detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Vulnerabilities🟢 10no vulnerabilities detected
pip/certifi 2025.8.3 🟢 6.4
Details
CheckScoreReason
Maintained🟢 76 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 7
Code-Review🟢 3Found 1/3 approved changesets -- score normalized to 3
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 5dependency not pinned by hash detected -- score normalized to 5
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/charset-normalizer 3.4.3 🟢 8.6
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/4 approved changesets -- score normalized to 0
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Maintained🟢 1030 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 9dependency not pinned by hash detected -- score normalized to 9
CII-Best-Practices🟢 5badge detected: Passing
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Signed-Releases🟢 84 out of the last 5 releases have a total of 4 signed artifacts.
Packaging🟢 10packaging workflow detected
Fuzzing🟢 10project is fuzzed
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 107 out of 7 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 3project has 1 contributing companies or organizations -- score normalized to 3
pip/ghastoolkit 0.17.0 🟢 7.2
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1010 out of 10 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review⚠️ 1found 7 unreviewed changesets out of 8 -- score normalized to 1
Contributors🟢 31 different organizations found -- score normalized to 3
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Maintained🟢 1030 commit(s) out of 30 and 5 issue activity out of 6 found in the last 90 days -- score normalized to 10
Packaging🟢 10publishing workflow detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions⚠️ 0non read-only tokens detected in GitHub workflows
Vulnerabilities🟢 10no vulnerabilities detected
pip/idna 3.10 🟢 6.5
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1010 out of 10 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review⚠️ 0Found 1/12 approved changesets -- score normalized to 0
Contributors🟢 10project has 46 contributing companies or organizations
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool⚠️ 0no update tool detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging🟢 10packaging workflow detected
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
SAST🟢 8SAST tool is not run on all commits -- score normalized to 8
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 100 existing vulnerabilities detected
pip/ratelimit 2.2.1 🟢 3.2
Details
CheckScoreReason
Pinned-Dependencies⚠️ -1no dependencies found
Binary-Artifacts🟢 10no binaries found in the repo
Code-Review⚠️ 1Found 4/26 approved changesets -- score normalized to 1
Dangerous-Workflow⚠️ -1no workflows found
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/requests 2.32.5 🟢 8.4
Details
CheckScoreReason
Maintained🟢 1020 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Packaging⚠️ -1packaging workflow not detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Vulnerabilities🟢 91 existing vulnerabilities detected
SAST🟢 9SAST tool detected but not run on all commits
pip/semantic-version 2.10.0 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 2/25 approved changesets -- score normalized to 0
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
Vulnerabilities🟢 100 existing vulnerabilities detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/urllib3 2.5.0 🟢 9
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
CI-Tests🟢 1028 out of 28 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices🟢 5badge detected: Passing
Code-Review🟢 9Found 19/21 approved changesets -- score normalized to 9
Contributors🟢 10project has 124 contributing companies or organizations
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Packaging🟢 10packaging workflow detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
SAST🟢 10SAST tool is run on all commits
Security-Policy🟢 10security policy file detected
Signed-Releases🟢 63 out of the last 5 releases have a total of 3 signed artifacts.
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 100 existing vulnerabilities detected

Scanned Files

  • Pipfile
  • Pipfile.lock

@GeekMasher GeekMasher merged commit f647e1e into main Sep 4, 2025
5 checks passed
@GeekMasher GeekMasher deleted the project-update branch September 4, 2025 13:48
Copilot
Copilot AI reviewed Sep 4, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates project ownership and dependencies, transitioning maintainership from an individual to a team and adding a new dependency.

  • Updates project maintainership from individual (@GeekMasher) to team (@advanced-security/oss-maintainers)
  • Adds ghastoolkit dependency with version constraint
  • Removes Python version requirement from Pipfile

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

File Description
Pipfile Adds ghastoolkit dependency and removes Python version requirement
.github/dependabot.yml Updates reviewers from individual to team maintainers
.github/CODEOWNERS Changes code ownership from individual to team

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Pipfile
@@ -5,16 +5,15 @@ name = "pypi"

[packages]
pyyaml = "*"
ghastoolkit = "<=0.17"
Copy link
Preview

Copilot AI Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version constraint <=0.17 allows any version up to and including 0.17, which could include older versions with potential security vulnerabilities or bugs. Consider using a more restrictive constraint like ~=0.17.0 or >=0.17.0,<0.18.0 to pin to a specific minor version range.

Suggested change
ghastoolkit = "<=0.17"
ghastoolkit = ">=0.17.0,<0.18.0"

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@GeekMasher