GitHub

gitcoinco/web

772 forks

2k stars

Description

Grow Open Source

Homepage

https://github.com/gitcoinco/web

Project metadata as of October 2, 2025.

OpenSSF scorecard

The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.

View information about checks and how to fix failures.

Score

3.8/10

Scorecard as of July 7, 2025.

Maintained

0/10

Determines if the project is "actively maintained".

Reasoning

0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0

Code-Review

7/10

Determines if the project requires human code review before pull requests (aka merge requests) are merged.

Reasoning

Found 23/30 approved changesets -- score normalized to 7

CII-Best-Practices

0/10

Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.

Reasoning

no effort to earn an OpenSSF best practices badge detected

Token-Permissions

0/10

Determines if the project's workflows follow the principle of least privilege.

Reasoning

detected GitHub workflow tokens with excessive permissions

Dangerous-Workflow

10/10

Determines if the project's GitHub Action workflows avoid dangerous patterns.

Reasoning

no dangerous workflow patterns detected

License

9/10

Determines if the project has defined a license.

Reasoning

license file detected

Security-Policy

0/10

Determines if the project has published a security policy.

Reasoning

security policy file not detected

Binary-Artifacts

9/10

Determines if the project has generated executable (binary) artifacts in the source repository.

Reasoning

binaries present in source code

SAST

7/10

Determines if the project uses static code analysis.

Reasoning

SAST tool detected but not run on all commits

Fuzzing

0/10

Determines if the project uses fuzzing.

Reasoning

project is not fuzzed

Pinned-Dependencies

0/10

Determines if the project has declared and pinned the dependencies of its build process.

Reasoning

dependency not pinned by hash detected -- score normalized to 0

Vulnerabilities

0/10

Determines if the project has open, known unfixed vulnerabilities.

Reasoning

100 existing vulnerabilities detected

This site uses cookies from Google to deliver its services and to analyze traffic.

Pinned-Dependencies

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:201: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:204: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:221: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-prod.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-prod.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review-cleanup.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review-cleanup.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review-cleanup.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review-cleanup.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review-cleanup.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review-cleanup.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review.yml:189: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review.yml:225: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:297: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review.yml:121: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-review.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-review.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-review.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:127: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:169: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:177: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci-stage.yml:202: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci-stage.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci.yml/master?enable=pin

Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/ci.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/codeql-analysis.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/codeql-analysis.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/codeql-analysis.yml/master?enable=pin

Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/gitcoinco/web/codeql-analysis.yml/master?enable=pin

Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating ubuntu:18.04 to ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98

Warn: containerImage not pinned by hash: Dockerfile-prod:1

Warn: containerImage not pinned by hash: Dockerfile-prod:76: pin your Docker image by updating ubuntu:18.04 to ubuntu:18.04@sha256:152dc042452c496007f07ca9127571cb9c29697f42acbfad72324b2bb2e43c98

Warn: containerImage not pinned by hash: ops/images/job/Dockerfile:1: pin your Docker image by updating python:3.7-alpine3.8 to python:3.7-alpine3.8@sha256:3491d1abd29b3f87ca5cb1afd34bc696855a2403df1ff854da55cb6754af1ff8

Warn: containerImage not pinned by hash: ops/images/kubectl/Dockerfile:2

Warn: pipCommand not pinned by hash: Dockerfile:50

Warn: pipCommand not pinned by hash: Dockerfile:54

Warn: pipCommand not pinned by hash: Dockerfile-prod:37

Warn: pipCommand not pinned by hash: Dockerfile-prod:41

Warn: pipCommand not pinned by hash: Dockerfile-prod:105

Warn: pipCommand not pinned by hash: Dockerfile-prod:109

Warn: pipCommand not pinned by hash: ops/images/job/Dockerfile:17-19

Warn: pipCommand not pinned by hash: scripts/deploy.bash:56

Warn: pipCommand not pinned by hash: .github/workflows/ci-prod.yml:79

Warn: pipCommand not pinned by hash: .github/workflows/ci-prod.yml:96

Warn: npmCommand not pinned by hash: .github/workflows/ci-prod.yml:151

Warn: npmCommand not pinned by hash: .github/workflows/ci-prod.yml:213

Warn: npmCommand not pinned by hash: .github/workflows/ci-review-cleanup.yml:31

Warn: pipCommand not pinned by hash: .github/workflows/ci-review.yml:75

Warn: pipCommand not pinned by hash: .github/workflows/ci-review.yml:92

Warn: npmCommand not pinned by hash: .github/workflows/ci-review.yml:181

Warn: npmCommand not pinned by hash: .github/workflows/ci-review.yml:217

Warn: pipCommand not pinned by hash: .github/workflows/ci-stage.yml:87

Warn: pipCommand not pinned by hash: .github/workflows/ci-stage.yml:104

Warn: npmCommand not pinned by hash: .github/workflows/ci-stage.yml:187

Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:78

Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:95

Info: 0 out of 27 GitHub-owned GitHubAction dependencies pinned

Info: 0 out of 17 third-party GitHubAction dependencies pinned

Info: 0 out of 5 containerImage dependencies pinned

Info: 0 out of 16 pipCommand dependencies pinned

Info: 0 out of 6 npmCommand dependencies pinned

Vulnerabilities

Warn: Project is vulnerable to: GHSA-7v5v-9h63-cj86

Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw

Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h

Warn: Project is vulnerable to: GHSA-g954-5hwp-pp24

Warn: Project is vulnerable to: GHSA-h755-8qp9-cq85

Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw

Warn: Project is vulnerable to: GHSA-776f-qx25-q3cc

Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8

Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92

Warn: Project is vulnerable to: GHSA-v88g-cgmw-v5xw

Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw

Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg

Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw

Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275

Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq

Warn: Project is vulnerable to: GHSA-434g-2637-qmqr

Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m

Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw

Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p

Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747

Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh

Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h

Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq

Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488

Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g

Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv

Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3

Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6

Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59

Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j

Warn: Project is vulnerable to: GHSA-h9rv-jmmf-4pgx

Warn: Project is vulnerable to: GHSA-hxcc-f52p-wc94

Warn: Project is vulnerable to: GHSA-vx3p-948g-6vhq

Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc

Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq

Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v

Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7

Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp

Warn: Project is vulnerable to: PYSEC-2018-66 / GHSA-562c-5r94-xh97

Warn: Project is vulnerable to: PYSEC-2019-179 / GHSA-5wv5-4vpf-pj6m

Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq

Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6

Warn: Project is vulnerable to: GHSA-f34m-x9pj-62vq

Warn: Project is vulnerable to: GHSA-c2jc-4fpr-4vhg

Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25

Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx

Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6

Warn: Project is vulnerable to: GHSA-xq7p-g2vc-g82p

Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7

Warn: Project is vulnerable to: GHSA-vc8w-jr9v-vj7f

Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x

Warn: Project is vulnerable to: GHSA-h452-7996-h45h

Warn: Project is vulnerable to: GHSA-7gc6-qh9x-w6h8

Warn: Project is vulnerable to: GHSA-p3vf-v8qc-cwcr

Warn: Project is vulnerable to: GHSA-gx9m-whjm-85jf

Warn: Project is vulnerable to: GHSA-mmhx-hmjr-r674

Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg

Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h

Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc

Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx

Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q

Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c

Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc

Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp

Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97

Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j

Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22

Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp

Warn: Project is vulnerable to: GHSA-j9m2-h2pv-wvph

Warn: Project is vulnerable to: GHSA-ffmh-x56j-9rc3

Warn: Project is vulnerable to: GHSA-rrj2-ph5q-jxw2

Warn: Project is vulnerable to: GHSA-896r-f27r-55mw

Warn: Project is vulnerable to: GHSA-6vfc-qv3f-vr6c

Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4

Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g

Warn: Project is vulnerable to: GHSA-qrpm-p2h7-hrv2

Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55

Warn: Project is vulnerable to: GHSA-r683-j2x4-v87g

Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5

Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp

Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq

Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr

Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765

Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g

Warn: Project is vulnerable to: GHSA-92xj-mqp7-vmcj

Warn: Project is vulnerable to: GHSA-wxgw-qj99-44c2

Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j

Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w

Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp

Warn: Project is vulnerable to: GHSA-584q-6j8j-r5pm

Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg

Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5

Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p

Warn: Project is vulnerable to: GHSA-wpg7-2c88-r8xv

Warn: Project is vulnerable to: GHSA-f5x3-32g6-xq36

Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3

Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx

Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j

Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986

Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q