Following https://github.com/nodejs/security-wg/blob/main/tools/ossf_scorecard/report.md + Code Scanning, we have a few security concerns to mitigate in this repository and then improve our score. Let's use this issue to keep track of the progress:

• Token-Permissions
  • .github/workflows/ossf-scorecard-reporting.yml:11

  • score is 0: topLevel 'contents' permission set to 'write'
    Remediation tip: update your workflow using https://app.stepsecurity.io
    Click Remediation section below for further remediation help

  • .github/workflows/validate-vulnerability.yml:1

  • score is 0: no topLevel permission defined
    Remediation tip: update your workflow using https://app.stepsecurity.io
    Click Remediation section below for further remediation hel

• Pinned-Dependencies
  • All .yml files.
• SAST Tool
• Fuzzing
• Code-Review