Skip to content
Tools / Salt / Security

Security Deep Dive

Salt

Security posture and CVE patch evidence from tracked releases.

Back to Tool

2 critical dependency CVEs affects v3008.0.

Audit transitive dependencies; consider upgrading or pinning replacements.

— Signed — SLSA — SBOM ✓ Security policy Weekly cadence · 5d median Active maintainer

Trust Signals — 3 of 9 Present

Evidence already collected from releases and repository metadata.

3/9 Present
Signed releases Unknown
Latest release artifact signature Latest release
SLSA provenance Unknown
Attestation predicate level Latest release
SBOM published Unknown
GitHub SBOM API Latest release
SECURITY.md Present
GitHub repository metadata Repository policy
Checked: 23d ago
Release cadence: weekly Present
5d median over recent releases Release history
Latest release: 7d ago
Maintainer active Present
Recent commit activity Repository
Last commit: 2d ago
Checksums (SHA256SUMS) Not active yet
SHA256SUMS or equivalent Release asset
Latest release: 7d ago
GitHub Actions attestation Not active yet
actions/attest-build-provenance Workflow file
Latest release: 7d ago
Signing assets Not active yet
.sig, .crt, cosign.pub, or similar Release asset
Latest release: 7d ago
3.8/10 Security Score
5.1/10 Scorecard
Dependency Exposure 78 transitive dependency CVEs found in the latest SBOM. 2 critical.

Security Score

A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.

epss

0.25 / 0.5

No EPSS data

freshness

1.00 / 1.0

2d stale

scorecard

2.04 / 4.0

Score 5.1/10

cve health

0.00 / 2.5

⚠ No direct scan — 7c/25h transitive CVEs

patch speed

0.50 / 0.5

⚠ Estimated — no CVE patch history

kev exposure

1.50 / 1.5

No KEV exposure

supply chain risk

-1.50 / 10.0

Risk 78.7/100

Score breakdown

schema v2

Vulnerability posture

vulnerability posture

0.0

25%

direct cves: clear cve scan: estimated

Release responsiveness

release responsiveness

10.0

5%

patch speed days: no_history

Dependency exposure

dependency exposure

2.1

10%

supply chain risk: 78.72 transitive cves: 7c/25h

Provenance trust

provenance trust

5.1

40%

scorecard score: 5.1 openssf badge: none

Maintainer health

maintainer health

10.0

10%

activity freshness: 2d

Operational risk

operational risk

8.5

10%

kev exposure: clear epss max: none
How is this calculated?

The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.

Supply Chain Risk

Risk 78.7/100
2 Transitive critical CVEs
0 KEV-transitive CVEs
64% Dependency freshness

Scorecard

Scorecard 5.1/10

OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.

Check Score Reason
Code-Review 4 Found 2/5 approved changesets -- score normalized to 4
Maintained 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Security-Policy 10 security policy file detected
CII-Best-Practices 0 no effort to earn an OpenSSF best practices badge detected
Packaging -1 packaging workflow not detected
License 10 license file detected
Dangerous-Workflow 10 no dangerous workflow patterns detected
Token-Permissions 0 detected GitHub workflow tokens with excessive permissions
Binary-Artifacts 6 binaries present in source code
Fuzzing 0 project is not fuzzed
Pinned-Dependencies 5 dependency not pinned by hash detected -- score normalized to 5
SAST 0 SAST tool is not run on all commits -- score normalized to 0
Branch-Protection 8 branch protection is not maximal on development and all release branches
Signed-Releases 0 Project has not signed or included provenance with any releases.

OpenSSF Badge

OpenSSF none

Badge indicates adherence to open-source best practices.

Dependency Vulnerabilities

587 dependencies scanned View full dependency list →

Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.

Critical

2

High

20

Medium

38

Low

18

Unknown

0

Still affecting latest (78) All (98)
Critical 2 High 20 Medium 38 Low 18
CVE Severity KEV Dependency Affected version Cleared in release
CVE-2024-36039 critical pymysql 1.1.0 v3006.25
CVE-2025-43859 critical h11 0.14.0 v3006.25
CVE-2024-52804 high tornado 6.3.3 v3006.25
CVE-2024-53899 high virtualenv 20.24.7 v3006.25
CVE-2024-8775 high ansible-core 2.15.13 v3006.25
CVE-2025-47287 high tornado 6.3.3 v3006.25
CVE-2025-66418 high urllib3 2.2.3 v3006.25
CVE-2025-66471 high urllib3 2.2.3 v3006.25
CVE-2025-69223 high aiohttp 3.9.5 v3006.25
CVE-2026-21441 high urllib3 2.2.3 v3006.25
CVE-2026-26007 high cryptography 42.0.5 v3006.25
CVE-2026-27459 high pyopenssl 25.3.0 v3006.25
CVE-2026-30922 high pyasn1 0.6.2 v3006.25
CVE-2026-31958 high tornado 6.5.4 v3006.25
CVE-2026-32597 high pyjwt 2.9.0 v3006.25
CVE-2026-35536 high tornado 6.5.4 v3006.25
CVE-2026-41066 high lxml 6.0.2 v3006.25
CVE-2026-42215 high gitpython 3.1.46 v3006.25
CVE-2026-42284 high gitpython 3.1.46 v3006.25
CVE-2026-44243 high gitpython 3.1.46 v3006.25
CVE-2026-44244 high gitpython 3.1.46 v3006.25
CVE-2026-44307 high mako 1.3.6 v3006.25
CVE-2023-50781 medium m2crypto 0.38.0 v3006.25
CVE-2024-35195 medium requests 2.31.0 v3006.25
CVE-2024-47081 medium requests 2.32.3 v3006.25
CVE-2024-49766 medium werkzeug 3.0.3 v3006.25
CVE-2024-49767 medium werkzeug 3.0.3 v3006.25
CVE-2024-52304 medium aiohttp 3.9.5 v3006.25
CVE-2024-5569 medium zipp 3.16.2 v3006.25
CVE-2024-56201 medium jinja2 3.1.4 v3006.25
CVE-2024-56326 medium jinja2 3.1.4 v3006.25
CVE-2025-14010 medium ansible 8.7.0 v3006.25
CVE-2025-50181 medium urllib3 2.2.3 v3006.25
CVE-2025-50182 medium urllib3 2.2.3 v3006.25
CVE-2025-66221 medium werkzeug 3.0.3 v3006.25
CVE-2025-68146 medium filelock 3.19.1 v3006.25
CVE-2025-69227 medium aiohttp 3.9.5 v3006.25
CVE-2025-69228 medium aiohttp 3.9.5 v3006.25
CVE-2025-69229 medium aiohttp 3.9.5 v3006.25
CVE-2025-69277 medium pynacl 1.5.0 v3006.25
CVE-2025-71176 medium pytest 8.3.3 v3006.25
CVE-2025-8869 medium pip 25.2 v3006.25
CVE-2026-21860 medium werkzeug 3.0.3 v3006.25
CVE-2026-22701 medium filelock 3.19.1 v3006.25
CVE-2026-22702 medium virtualenv 20.24.7 v3006.25
CVE-2026-22815 medium aiohttp 3.13.3 v3006.25
CVE-2026-25645 medium requests 2.32.3 v3006.25
CVE-2026-27199 medium werkzeug 3.0.3 v3006.25
CVE-2026-3219 medium pip 25.2 v3006.25
CVE-2026-34515 medium aiohttp 3.13.3 v3006.25
CVE-2026-34516 medium aiohttp 3.13.3 v3006.25
CVE-2026-34525 medium aiohttp 3.13.3 v3006.25
CVE-2026-39892 medium cryptography 46.0.5 v3006.25
CVE-2026-41205 medium mako 1.3.6 v3006.25
CVE-2026-6357 medium pip 25.2 v3006.25
GHSA-27jp-wm6q-gp25 medium sqlparse 0.5.0 v3006.25
GHSA-753j-mpmx-qq6g medium tornado 6.3.3 v3006.25
GHSA-78cv-mqj4-43f7 medium tornado 6.5.4 v3006.25
GHSA-h4gh-qq45-vh27 medium cryptography 42.0.5 v3006.25
GHSA-w235-7p84-xx57 medium tornado 6.3.3 v3006.25
CVE-2024-11079 low ansible-core 2.15.13 v3006.25
CVE-2024-12797 low cryptography 42.0.5 v3006.25
CVE-2024-39689 low certifi 2023.07.22 v3006.25
CVE-2025-53643 low aiohttp 3.9.5 v3006.25
CVE-2025-69224 low aiohttp 3.9.5 v3006.25
CVE-2025-69225 low aiohttp 3.9.5 v3006.25
CVE-2025-69226 low aiohttp 3.9.5 v3006.25
CVE-2025-69230 low aiohttp 3.9.5 v3006.25
CVE-2026-1703 low pip 25.2 v3006.25
CVE-2026-27448 low pyopenssl 25.3.0 v3006.25
CVE-2026-34073 low cryptography 46.0.5 v3006.25
CVE-2026-34513 low aiohttp 3.13.3 v3006.25
CVE-2026-34514 low aiohttp 3.13.3 v3006.25
CVE-2026-34517 low aiohttp 3.13.3 v3006.25
CVE-2026-34518 low aiohttp 3.13.3 v3006.25
CVE-2026-34519 low aiohttp 3.13.3 v3006.25
CVE-2026-34520 low aiohttp 3.13.3 v3006.25
CVE-2026-4539 low pygments 2.19.2 v3006.25

Showing 78 of 98

Beta — feedback welcome: [email protected]