Skip to content

hotfix: improve documentation for deployment with configured security#197

Merged
Pasichniuk merged 1 commit intorelease-0.14from
hotfix/add-docs
Mar 5, 2026
Merged

hotfix: improve documentation for deployment with configured security#197
Pasichniuk merged 1 commit intorelease-0.14from
hotfix/add-docs

Conversation

@Pasichniuk
Copy link
Collaborator

@Pasichniuk Pasichniuk commented Mar 5, 2026
edited
Loading

Description of changes

Original PR: #183

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@daryapyskwork @tataranovich @Pasichniuk
chore: add deployment guide with full security model (#183)
f546923 
Co-authored-by: Andrey Tataranovich <andrei_tataranovich@epam.com>
Co-authored-by: Vladyslav Pasichniuk <vladyslav_pasichniuk@epam.com>
(cherry picked from commit a303532)
@Pasichniuk Pasichniuk requested a review from daryapyskwork March 5, 2026 13:00
@Pasichniuk Pasichniuk self-assigned this Mar 5, 2026
@ai-dial-actions
Copy link
Contributor

ai-dial-actions commented Mar 5, 2026

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 102 package(s) with unknown licenses.
  • ⚠️ 14 packages with OpenSSF Scorecard issues.
See the Details below.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (0) and the head SHA (1) do not match. You may see unexpected additions in the diff.
Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.

License Issues

settings.gradle

PackageVersionLicenseIssue Type
biz.aQute.bnd:biz.aqute.bnd.annotation7.1.0NullUnknown License
com.fasterxml.jackson.core:jackson-core2.21.1NullUnknown License
com.fasterxml.jackson.core:jackson-databind2.21.1NullUnknown License
com.fasterxml.jackson.dataformat:jackson-dataformat-cbor2.21.1NullUnknown License
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml2.21.1NullUnknown License
com.fasterxml.jackson.datatype:jackson-datatype-jdk82.21.1NullUnknown License
com.fasterxml.jackson.datatype:jackson-datatype-jsr3102.21.1NullUnknown License
com.fasterxml.jackson.module:jackson-module-parameter-names2.21.1NullUnknown License
com.fasterxml.jackson:jackson-bom2.21.1NullUnknown License
com.github.javaparser:javaparser-core3.27.1NullUnknown License
com.gradle:common-custom-user-data-gradle-plugin2.1NullUnknown License
com.gradle:develocity-gradle-plugin4.2NullUnknown License
com.zaxxer:hikaricp6.3.3NullUnknown License
io.fabric8.java-generator:io.fabric8.java-generator.gradle.plugin7.5.2NullUnknown License
io.fabric8:generator-annotations7.5.2NullUnknown License
io.fabric8:java-generator-core7.5.2NullUnknown License
io.fabric8:knative-client7.5.2NullUnknown License
io.fabric8:knative-model7.5.2NullUnknown License
io.fabric8:kubernetes-client-api7.5.2NullUnknown License
io.fabric8:kubernetes-httpclient-vertx7.5.2NullUnknown License
io.fabric8:kubernetes-model-admissionregistration7.5.2NullUnknown License
io.fabric8:kubernetes-model-apiextensions7.5.2NullUnknown License
io.fabric8:kubernetes-model-apps7.5.2NullUnknown License
io.fabric8:kubernetes-model-autoscaling7.5.2NullUnknown License
io.fabric8:kubernetes-model-batch7.5.2NullUnknown License
io.fabric8:kubernetes-model-certificates7.5.2NullUnknown License
io.fabric8:kubernetes-model-common7.5.2NullUnknown License
io.fabric8:kubernetes-model-coordination7.5.2NullUnknown License
io.fabric8:kubernetes-model-core7.5.2NullUnknown License
io.fabric8:kubernetes-model-discovery7.5.2NullUnknown License
io.fabric8:kubernetes-model-events7.5.2NullUnknown License
io.fabric8:kubernetes-model-extensions7.5.2NullUnknown License
io.fabric8:kubernetes-model-flowcontrol7.5.2NullUnknown License
io.fabric8:kubernetes-model-gatewayapi7.5.2NullUnknown License
io.fabric8:kubernetes-model-metrics7.5.2NullUnknown License
io.fabric8:kubernetes-model-networking7.5.2NullUnknown License
io.fabric8:kubernetes-model-node7.5.2NullUnknown License
io.fabric8:kubernetes-model-policy7.5.2NullUnknown License
io.fabric8:kubernetes-model-rbac7.5.2NullUnknown License
io.fabric8:kubernetes-model-resource7.5.2NullUnknown License
io.fabric8:kubernetes-model-scheduling7.5.2NullUnknown License
io.fabric8:kubernetes-model-storageclass7.5.2NullUnknown License
io.fabric8:zjsonpatch7.5.2NullUnknown License
io.modelcontextprotocol.sdk:mcp0.15.0NullUnknown License
io.modelcontextprotocol.sdk:mcp-core0.15.0NullUnknown License
io.modelcontextprotocol.sdk:mcp-json0.15.0NullUnknown License
io.modelcontextprotocol.sdk:mcp-json-jackson20.15.0NullUnknown License
io.netty:netty-buffer4.1.130.FinalNullUnknown License
io.netty:netty-codec4.1.130.FinalNullUnknown License
io.netty:netty-codec-compression4.2.8.FinalNullUnknown License
io.netty:netty-codec-dns4.1.130.FinalNullUnknown License
io.netty:netty-codec-http4.1.130.FinalNullUnknown License
io.netty:netty-codec-http24.1.130.FinalNullUnknown License
io.netty:netty-codec-socks4.1.130.FinalNullUnknown License
io.netty:netty-common4.1.130.FinalNullUnknown License
io.netty:netty-handler4.1.130.FinalNullUnknown License
io.netty:netty-handler-proxy4.1.130.FinalNullUnknown License
io.netty:netty-resolver4.1.130.FinalNullUnknown License
io.netty:netty-resolver-dns4.1.130.FinalNullUnknown License
io.netty:netty-resolver-dns-classes-macos4.1.130.FinalNullUnknown License
io.netty:netty-resolver-dns-native-macos4.1.130.FinalNullUnknown License
io.netty:netty-transport4.1.130.FinalNullUnknown License
io.netty:netty-transport-native-epoll4.1.130.FinalNullUnknown License
io.netty:netty-transport-native-unix-common4.1.130.FinalNullUnknown License
io.opentelemetry.contrib:opentelemetry-aws-resources1.42.0-alphaNullUnknown License
io.opentelemetry.contrib:opentelemetry-gcp-resources1.42.0-alphaNullUnknown License
io.opentelemetry.instrumentation:opentelemetry-instrumentation-bom2.12.0NullUnknown License
io.opentelemetry:opentelemetry-bom1.46.0NullUnknown License
io.sundr:builder-annotations0.230.1NullUnknown License
io.sundr:resourcecify-annotations0.230.1NullUnknown License
io.sundr:sundr-adapter-api0.230.1NullUnknown License
io.sundr:sundr-adapter-apt0.230.1NullUnknown License
io.sundr:sundr-adapter-reflect0.230.1NullUnknown License
io.sundr:sundr-core0.230.1NullUnknown License
io.sundr:sundr-model0.230.1NullUnknown License
io.sundr:sundr-model-base0.230.1NullUnknown License
io.sundr:sundr-model-repo0.230.1NullUnknown License
io.sundr:sundr-model-utils0.230.1NullUnknown License
io.vertx:vertx-auth-common4.5.24NullUnknown License
io.vertx:vertx-core4.5.24NullUnknown License
io.vertx:vertx-web-client4.5.24NullUnknown License
io.vertx:vertx-web-common4.5.24NullUnknown License
jakarta.xml.bind:jakarta.xml.bind-api4.0.4NullUnknown License
net.sf.saxon:saxon-he12.5NullUnknown License
org.apache.tomcat.embed:tomcat-embed-el10.1.50NullUnknown License
org.flywaydb:flyway-sqlserver11.14.0NullUnknown License
org.hdrhistogram:hdrhistogram2.2.2NullUnknown License
org.junit:junit-bom5.12.2NullUnknown License
org.latencyutils:latencyutils2.0.3NullUnknown License
org.springframework.boot:spring-boot-buildpack-platform3.5.10NullUnknown License
org.springframework.boot:spring-boot-dependencies3.5.10NullUnknown License
org.springframework.boot:spring-boot-gradle-plugin3.5.10NullUnknown License
org.springframework.boot:spring-boot-loader-tools3.5.10NullUnknown License
org.springframework.boot:spring-boot-testcontainers3.5.10NullUnknown License
org.springframework:spring-aspects6.2.15NullUnknown License
org.springframework:spring-jdbc6.2.15NullUnknown License
org.springframework:spring-orm6.2.15NullUnknown License
org.springframework:spring-test6.2.15NullUnknown License
org.springframework:spring-tx6.2.15NullUnknown License
org.springframework:spring-web6.2.15NullUnknown License
org.springframework:spring-webmvc6.2.15NullUnknown License
org.testcontainers:mssqlserver1.21.4NullUnknown License

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
maven/biz.aQute.bnd:biz.aqute.bnd.annotation 7.1.0 UnknownUnknown
maven/com.amazonaws:aws-java-sdk-core 1.12.777 🟢 6.7
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Maintained🟢 109 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 8detected GitHub workflow tokens with excessive permissions
SAST🟢 10SAST tool is run on all commits
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
maven/com.amazonaws:aws-java-sdk-sts 1.12.777 🟢 6.7
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Maintained🟢 109 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 8detected GitHub workflow tokens with excessive permissions
SAST🟢 10SAST tool is run on all commits
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
maven/com.amazonaws:jmespath-java 1.12.777 🟢 6.7
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/28 approved changesets -- score normalized to 0
Maintained🟢 109 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 8detected GitHub workflow tokens with excessive permissions
SAST🟢 10SAST tool is run on all commits
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
maven/com.azure:azure-core 1.56.1 🟢 8.3
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 21 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Binary-Artifacts🟢 9binaries present in source code
maven/com.azure:azure-core-http-netty 1.16.1 🟢 8.3
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 21 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Binary-Artifacts🟢 9binaries present in source code
maven/com.azure:azure-identity 1.18.0 🟢 8.3
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 21 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Binary-Artifacts🟢 9binaries present in source code
maven/com.azure:azure-json 1.5.0 🟢 8.3
Details
CheckScoreReason
Maintained🟢 1030 commit(s) out of 30 and 21 issue activity out of 30 found in the last 90 days -- score normalized to 10
Code-Review🟢 10all last 30 commits are reviewed through GitHub
CII-Best-Practices⚠️ 0no badge detected
Vulnerabilities🟢 10no vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1no published package detected
License🟢 10license file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10tokens are read-only in GitHub workflows
Dependency-Update-Tool🟢 10update tool detected
Fuzzing⚠️ 0project is not fuzzed
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Binary-Artifacts🟢 9binaries present in source code
maven/com.azure:azure-xml 1.2.0 🟢 6.9
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
maven/com.ethlo.time:itu 1.10.3 UnknownUnknown
maven/com.fasterxml.jackson.core:jackson-annotations 2.21 UnknownUnknown
maven/com.fasterxml.jackson.core:jackson-core 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson.core:jackson-databind 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson.dataformat:jackson-dataformat-cbor 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson.dataformat:jackson-dataformat-yaml 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson.datatype:jackson-datatype-jdk8 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson.datatype:jackson-datatype-jsr310 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson.module:jackson-module-parameter-names 2.21.1 UnknownUnknown
maven/com.fasterxml.jackson:jackson-bom 2.21.1 UnknownUnknown
maven/com.fasterxml:classmate 1.7.3 UnknownUnknown
maven/com.github.ben-manes.caffeine:caffeine 3.2.3 🟢 9
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
CI-Tests⚠️ -1no pull request found
Dependency-Update-Tool🟢 10update tool detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
SAST🟢 10SAST tool detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Vulnerabilities🟢 100 existing vulnerabilities detected
CII-Best-Practices🟢 10badge detected: Gold
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing🟢 10project is fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Contributors🟢 10project has 8 contributing companies or organizations
maven/com.github.docker-java:docker-java-api 3.4.2 🟢 3.7
Details
CheckScoreReason
Code-Review⚠️ 2Found 2/9 approved changesets -- score normalized to 2
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.github.docker-java:docker-java-transport 3.4.2 🟢 3.7
Details
CheckScoreReason
Code-Review⚠️ 2Found 2/9 approved changesets -- score normalized to 2
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.github.docker-java:docker-java-transport-zerodep 3.4.2 🟢 3.7
Details
CheckScoreReason
Code-Review⚠️ 2Found 2/9 approved changesets -- score normalized to 2
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.github.javaparser:javaparser-core 3.27.1 🟢 4.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10
Code-Review⚠️ 0Found 2/22 approved changesets -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 8binaries present in source code
Security-Policy⚠️ 0security policy file not detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 9license file detected
Fuzzing🟢 10project is fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.google.auth:google-auth-library-credentials 1.29.0 🟢 7.6
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1017 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ -1no releases found
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
maven/com.google.auth:google-auth-library-oauth2-http 1.29.0 🟢 7.6
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1017 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
Signed-Releases⚠️ -1no releases found
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
maven/com.google.auto.value:auto-value-annotations 1.11.0 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 9Found 29/30 approved changesets -- score normalized to 9
Maintained🟢 1023 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.google.cloud.opentelemetry:detector-resources-support 0.33.0 🟢 5.8
Details
CheckScoreReason
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 8binaries present in source code
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST🟢 9SAST tool detected but not run on all commits
maven/com.google.cloud.tools:jib-build-plan 0.4.0 UnknownUnknown
maven/com.google.cloud.tools:jib-core 0.27.3 UnknownUnknown
maven/com.google.code.findbugs:jsr305 3.0.2 UnknownUnknown
maven/com.google.code.gson:gson 2.8.9 🟢 9.4
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1019 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Code-Review🟢 8Found 20/23 approved changesets -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
License🟢 10license file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Signed-Releases⚠️ -1no releases found
SAST🟢 10SAST tool is run on all commits
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing🟢 10project is fuzzed
Security-Policy🟢 10security policy file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 12 contributing companies or organizations
maven/com.google.errorprone:error_prone_annotations 2.43.0 🟢 6.5
Details
CheckScoreReason
Code-Review⚠️ 2Found 6/29 approved changesets -- score normalized to 2
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.google.errorprone:error_prone_annotations 2.36.0 🟢 6.5
Details
CheckScoreReason
Code-Review⚠️ 2Found 6/29 approved changesets -- score normalized to 2
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
maven/com.google.guava:failureaccess 1.0.2 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 2badge detected: InProgress
Signed-Releases⚠️ -1no releases found
Fuzzing🟢 10project is fuzzed
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
License🟢 10license file detected
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
CI-Tests🟢 928 out of 29 merged PRs checked by a CI test -- score normalized to 9
Contributors🟢 10project has 11 contributing companies or organizations
maven/com.google.guava:guava 33.4.0-jre 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 2badge detected: InProgress
Signed-Releases⚠️ -1no releases found
Fuzzing🟢 10project is fuzzed
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
License🟢 10license file detected
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
CI-Tests🟢 928 out of 29 merged PRs checked by a CI test -- score normalized to 9
Contributors🟢 10project has 11 contributing companies or organizations
maven/com.google.guava:guava 33.3.1-android 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 2badge detected: InProgress
Signed-Releases⚠️ -1no releases found
Fuzzing🟢 10project is fuzzed
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
License🟢 10license file detected
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
CI-Tests🟢 928 out of 29 merged PRs checked by a CI test -- score normalized to 9
Contributors🟢 10project has 11 contributing companies or organizations
maven/com.google.guava:listenablefuture 9999.0-empty-to-avoid-conflict-with-guava 🟢 8.7
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Binary-Artifacts🟢 9binaries present in source code
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 2badge detected: InProgress
Signed-Releases⚠️ -1no releases found
Fuzzing🟢 10project is fuzzed
SAST🟢 9SAST tool is not run on all commits -- score normalized to 9
License🟢 10license file detected
Security-Policy🟢 10security policy file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 100 existing vulnerabilities detected
CI-Tests🟢 928 out of 29 merged PRs checked by a CI test -- score normalized to 9
Contributors🟢 10project has 11 contributing companies or organizations
maven/com.google.http-client:google-http-client 1.45.0 🟢 7.3
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 10project has 12 contributing companies or organizations
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
SAST🟢 8SAST tool is not run on all commits -- score normalized to 8
Security-Policy🟢 10security policy file detected
Signed-Releases⚠️ -1no releases found
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Vulnerabilities⚠️ 28 existing vulnerabilities detected
maven/com.google.http-client:google-http-client-apache-v2 1.42.2 🟢 7.3
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 10all changesets reviewed
Contributors🟢 10project has 12 contributing companies or organizations
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Dependency-Update-Tool🟢 10update tool detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Maintained🟢 810 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies:warni...*[Comment body truncated]*

@Pasichniuk Pasichniuk merged commit 4f497c1 into release-0.14 Mar 5, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@daryapyskwork daryapyskwork daryapyskwork approved these changes

@siarhei-fedziukovich siarhei-fedziukovich Awaiting requested review from siarhei-fedziukovich siarhei-fedziukovich is a code owner

Assignees

@Pasichniuk Pasichniuk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Pasichniuk @ai-dial-actions @daryapyskwork