Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
Nothing found by this check. ✓
Packages you depend on that have known security holes (CVEs).
CVE-2024-45337 Applications and libraries which misuse connection.serverAuthenticate ...CVE-2025-15558 docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binariesCVE-2026-34040 Moby: Moby: Authorization bypass vulnerabilityCVE-2026-41567 Docker: `PUT /containers/{id}/archive` executes container binary on the hostCVE-2026-42306 Docker: Race condition in docker cp allows bind mount redirection to host pathCVE-2026-33997 moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installationCVE-2026-41568 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swapCVE-2026-39882 OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1 ...CVE-2026-24051 OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH HijackingCVE-2026-39883 opentelemetry-go: BSD kenv command not using absolute path enables PATH hijackingCVE-2025-22869 SSH servers which implement file transfer protocols are vulnerable to ...CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing ...CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the ...Your dependencies cross-checked against the OSV vulnerability database.
GHSA-v778-237x-gjrc Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/cryptoGHSA-p436-gjf2-799p Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on WindowsGHSA-rg2x-37c3-w2rh Docker: Race condition in docker cp allows bind mount redirection to host pathGHSA-x744-4wpc-v9h2 Moby has AuthZ plugin bypass when provided oversized request bodiesGHSA-x86f-5xw2-fm2r Docker: `PUT /containers/{id}/archive` executes container binary on the hostGHSA-9h8m-3fm2-qjrq OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH HijackingGHSA-hfvc-g4fc-pqhx opentelemetry-go: BSD kenv command not using absolute path enables PATH hijackingGHSA-hcg3-q754-cr77 golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key ExchangeGO-2026-4610 Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cliGO-2026-4883 Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/dockerGO-2026-4887 Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/dockerGHSA-pxq6-2prw-chj9 Moby has an Off-by-one error in its plugin privilege validationGHSA-vp62-88p7-qqf5 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swapGO-2026-4985 Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlpGHSA-w8rr-5gcm-pp58 opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodiesGO-2026-4394 OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdkGO-2024-3321 Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/cryptoGO-2025-3487 Potential denial of service in golang.org/x/cryptoGO-2025-4116 Potential denial of service in golang.org/x/crypto/ssh/agentGO-2025-4134 Unbounded memory consumption in golang.org/x/crypto/sshGO-2025-4135 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agentGO-2026-5005 Invoking key constraints not enforced in golang.org/x/crypto/ssh/agentGO-2026-5006 Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agentGO-2026-5013 Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/sshGO-2026-5014 Invoking bypass of certificate restrictions in golang.org/x/crypto/sshCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
Nothing found by this check. ✓
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 4.8/10scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissionsscorecard-Vulnerabilities Vulnerabilities scored 0: 28 existing vulnerabilities detected