gitsafehub
github.com/redis/redis-ai-research-public ↗

redis/redis-ai-research-public

scanned 2026-07-08 · git 11c6ce6
3 of 6 checks flagged a security issue
🔴 Needs attention
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secrets28Vulnerable dependencies66Known OSS vulnerabilities117Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks 28 found · 28 serious

API keys, passwords or tokens committed into the repo.

  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:88
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:94
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:100
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:106
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:148
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:154
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:160
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/README.md:239
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:40
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:49
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:50
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:78
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:106
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:112
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:118
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:122
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:17
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:27
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/quickstart.md:40
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/checks.md:82
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/checks.md:86
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/checks.md:92
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/checks.md:98
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/checks.md:100
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
  • Serious curl-auth-header Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.
    coding-agents/checks.md:104
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.
… 3 more not shown

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 66 found · 2 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2026-35002 Agno is vulnerable to Eval Injection
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-35002). Fix: Update that package to its patched version.
  • Serious CVE-2026-32871 fastmcp: FastMCP: Authenticated Server-Side Request Forgery via path traversal in OpenAPI path parameters
    opencode-spec-optimization/uv.lock
    A package you depend on has a known security hole (CVE-2026-32871). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user input in cache file name
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-32274). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-68146 filelock: filelock: Time-of-Check-Time-of-Use (TOCTOU) race condition and symlink attack allows arbitrary file corruption or truncation
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2025-68146). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-22701 filelock: filelock Time-of-Check-Time-of-Use (TOCTOU) in SoftFileLock
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-22701). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-66034 fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace file
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2025-66034). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42215 GitPython is a python library used to interact with Git repositories. ...
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42215). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42284 GitPython is a python library used to interact with Git repositories. ...
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42284). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44243 GitPython: GitPython: Arbitrary file write via crafted reference paths
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-44243). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-44244 GitPython is a python library used to interact with Git repositories. ...
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-44244). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mv93-w799-cj2w GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
    learning-agents/uv.lock
    A package you depend on has a known security hole (GHSA-mv93-w799-cj2w). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-45409 Internationalized Domain Names in Applications (IDNA) for Python provi ...
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-25990 pillow: Pillow: Out-of-bounds Write via Specially Crafted PSD Image
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-25990). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40192 Pillow: Pillow: Denial of Service via decompression bomb in FITS image processing
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-40192). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42311 Pillow: python-pillow: Pillow: Arbitrary code execution via malicious PSD file processing
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42311). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42308 Pillow: python: Pillow: Denial of Service via integer overflow in font processing
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42308). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42309 Pillow: Pillow: Denial of Service via specially crafted coordinate input
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42309). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42310 Pillow: Pillow: Denial of Service via malicious PDF processing
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42310). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-23490 pyasn1: pyasn1: Denial of Service due to memory exhaustion from malformed RELATIVE-OID
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-23490). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-30922 pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-30922). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-28684 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-28684). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-24486 python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-24486). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42561 python-multipart: python-multipart: Denial of Service via excessive multipart part headers
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42561). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-53539 Python-Multipart is a streaming multipart parser for Python. Prior to ...
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-53539). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-40347 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests
    learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-40347). Fix: Update that package to its patched version.
… 41 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 117 found · 6 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious PYSEC-2026-256 Agno is vulnerable to Eval Injection
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-35002). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-366 Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-44727). Fix: Update that package to its patched version.
  • Serious GHSA-mqcg-5x36-vfcg JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42557). Fix: Update that package to its patched version.
  • Serious GHSA-mqcg-5x36-vfcg JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42557). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-36 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Pytho
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/opencode-spec-optimization/uv.lock
    A package you depend on has a known security hole (CVE-2026-39892). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-338 FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/opencode-spec-optimization/uv.lock
    A package you depend on has a known security hole (CVE-2026-32871). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2018-28 The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to dis
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2018-18074). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-74 Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `re
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2023-32681). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-1872 Requests vulnerable to .netrc credentials leak via malicious URLs
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47081). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-1873 Requests `Session` object does not verify requests after making first request with verify=False
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2024-35195). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gc5v-m9x4-r6x2 Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2026-25645). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2017-74 The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/coding-agents/requirements.txt
    A package you depend on has a known security hole (CVE-2016-10075). Fix: Update that package to its patched version.
  • Worth fixing GHSA-82m5-3pcp-hccq agno contains a SQL injection vulnerability
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-10105). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3936-cmfr-pm3m Black: Arbitrary file writes from unsanitized user input in cache file name
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-32274). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gj48-438w-jh9v Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-1374 filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-22701). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-1375 filelock has a TOCTOU race condition which allows symlink attacks during lock file creation
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2025-68146). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-1389 fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2025-66034). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7545-fcxq-7j24 GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-44243). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mv93-w799-cj2w GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-rpm5-65cw-6hj4 GitPython has Command Injection via Git options bypass
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42215). Fix: Update that package to its patched version.
  • Worth fixing GHSA-v87r-6q3f-2j67 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-44244). Fix: Update that package to its patched version.
  • Worth fixing GHSA-x2qx-6953-8485 GitPython: Unsafe option check validates multi_options before shlex.split transformation
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-42284). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
    /workdirs/scan-98fb631a-6528-4f68-b727-8e3d8ff2fbfe/learning-agents/uv.lock
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
… 92 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 1.8/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 7 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Code-Review Code-Review scored 0: Found 0/8 approved changesets -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: project was created within the last 90 days. Please review its contents carefully
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.