{"id":13409108,"url":"https://github.com/cometbft/cometbft","last_synced_at":"2026-04-14T21:00:58.762Z","repository":{"id":65634457,"uuid":"581314918","full_name":"cometbft/cometbft","owner":"cometbft","description":"CometBFT: A distributed, Byzantine fault-tolerant, deterministic state machine replication engine. A fork and successor to Tendermint Core.","archived":false,"fork":false,"pushed_at":"2026-04-08T18:54:13.000Z","size":189372,"stargazers_count":877,"open_issues_count":278,"forks_count":788,"subscribers_count":17,"default_branch":"main","last_synced_at":"2026-04-08T20:22:53.819Z","etag":null,"topics":["bft","blockchain","cosmos","database","distributed-systems","go","tendermint-consensus"],"latest_commit_sha":null,"homepage":"https://docs.cometbft.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cometbft.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-12-22T21:03:33.000Z","updated_at":"2026-04-07T21:10:27.000Z","dependencies_parsed_at":"2023-10-25T21:25:24.573Z","dependency_job_id":"f8f8e4b1-4780-4ef8-b7cc-65104a84ae49","html_url":"https://github.com/cometbft/cometbft","commit_stats":{"total_commits":8878,"total_committers":383,"mean_commits":"23.180156657963447","dds":0.7744987609822032,"last_synced_commit":"26cb78807e7efd17b03f0ed4b90e7fd7f6aa562d"},"previous_names":["cometbft/tendermint"],"tags_count":88,"template":false,"template_full_name":null,"purl":"pkg:github/cometbft/cometbft","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbft%2Fcometbft","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbft%2Fcometbft/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbft%2Fcometbft/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbft%2Fcometbft/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cometbft","download_url":"https://codeload.github.com/cometbft/cometbft/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cometbft%2Fcometbft/sbom","scorecard":{"id":300666,"data":{"date":"2025-08-11","repo":{"name":"github.com/cometbft/cometbft","commit":"bd1bc3bb6392a973d7b60fd0b19da6e71ca09b47"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.5,"checks":[{"name":"Code-Review","score":8,"reason":"Found 25/28 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:37","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:36","Warn: no topLevel permission defined: .github/workflows/build.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/check-generated.yml:17","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: no topLevel permission defined: .github/workflows/docker-build-cometbft.yml:1","Warn: no topLevel permission defined: .github/workflows/docker-build-e2e-node.yml:1","Warn: no topLevel permission defined: .github/workflows/docs-toc.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-long-main.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-manual-debug.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-manual-multiversion.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-manual.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-nightly-1x.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-nightly-2x.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-nightly-38x.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-nightly-main.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e.yml:1","Warn: no topLevel permission defined: .github/workflows/fuzz-nightly.yml:1","Warn: no topLevel permission defined: .github/workflows/integration_tests.yml:1","Warn: no topLevel permission defined: .github/workflows/lint.yml:1","Warn: no topLevel permission defined: .github/workflows/markdown-linter.yml:1","Warn: no topLevel permission defined: .github/workflows/notify-about-breaking-changes.yml:1","Warn: no topLevel permission defined: .github/workflows/pre-release.yml:1","Warn: no topLevel permission defined: .github/workflows/proto-lint.yml:1","Warn: no topLevel permission defined: .github/workflows/release-version.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/stale.yml:1","Warn: no topLevel permission defined: .github/workflows/test-slack-notification.yml:1","Warn: no topLevel permission defined: .github/workflows/tests.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: OSSFuzz integration found","Info: GoBuiltInFuzzer integration found: state/store_db_key_layout_test.go:11","Info: GoBuiltInFuzzer integration found: store/db_key_layout_test.go:12","Info: GoBuiltInFuzzer integration found: store/db_key_layout_test.go:56","Info: GoBuiltInFuzzer integration found: test/fuzz/tests/mempool_test.go:17","Info: GoBuiltInFuzzer integration found: test/fuzz/tests/p2p_secretconnection_test.go:17","Info: GoBuiltInFuzzer integration found: test/fuzz/tests/rpc_jsonrpc_server_test.go:18"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.0.1 not signed: https://api.github.com/repos/cometbft/cometbft/releases/198024224","Warn: release artifact v0.38.17 not signed: https://api.github.com/repos/cometbft/cometbft/releases/198024601","Warn: release artifact v0.37.15 not signed: https://api.github.com/repos/cometbft/cometbft/releases/198024933","Warn: release artifact v0.38.16 not signed: https://api.github.com/repos/cometbft/cometbft/releases/191872190","Warn: release artifact v0.37.14 not signed: https://api.github.com/repos/cometbft/cometbft/releases/191864008","Warn: release artifact v1.0.1 does not have provenance: https://api.github.com/repos/cometbft/cometbft/releases/198024224","Warn: release artifact v0.38.17 does not have provenance: https://api.github.com/repos/cometbft/cometbft/releases/198024601","Warn: release artifact v0.37.15 does not have provenance: https://api.github.com/repos/cometbft/cometbft/releases/198024933","Warn: release artifact v0.38.16 does not have provenance: https://api.github.com/repos/cometbft/cometbft/releases/191872190","Warn: release artifact v0.37.14 does not have provenance: https://api.github.com/repos/cometbft/cometbft/releases/191864008"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-build-cometbft.yml:45"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-generated.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/check-generated.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-generated.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/check-generated.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-generated.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/check-generated.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check-generated.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/check-generated.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:82: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/codeql.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/conventional-pr-title.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/conventional-pr-title.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/conventional-pr-title.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/conventional-pr-title.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/conventional-pr-title.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/conventional-pr-title.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-build-cometbft.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-cometbft.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-cometbft.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-cometbft.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-cometbft.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-cometbft.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-cometbft.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-cometbft.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-cometbft.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-cometbft.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-build-e2e-node.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-e2e-node.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-e2e-node.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-e2e-node.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-e2e-node.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-e2e-node.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-e2e-node.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-e2e-node.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build-e2e-node.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docker-build-e2e-node.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-toc.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/docs-toc.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-long-main.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-long-main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-long-main.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-long-main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-long-main.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-long-main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-manual-debug.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-manual-debug.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-manual-debug.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-manual-debug.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-manual-multiversion.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-manual-multiversion.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-manual-multiversion.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-manual-multiversion.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-manual.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-manual.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-manual.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-manual.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-1x.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-1x.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-1x.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-1x.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-nightly-1x.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-1x.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-2x.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-2x.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-2x.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-2x.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-nightly-2x.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-2x.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-nightly-38x.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-38x.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-38x.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-38x.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-38x.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-38x.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-main.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-nightly-main.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-nightly-main.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e-nightly-main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/e2e.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz-nightly.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/fuzz-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz-nightly.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/fuzz-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz-nightly.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/fuzz-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fuzz-nightly.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/fuzz-nightly.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/fuzz-nightly.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/fuzz-nightly.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/integration_tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration_tests.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/integration_tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/integration_tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/lint.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/lint.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/markdown-linter.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/markdown-linter.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/markdown-linter.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/markdown-linter.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/notify-about-breaking-changes.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/notify-about-breaking-changes.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/notify-about-breaking-changes.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/notify-about-breaking-changes.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-release.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/pre-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/pre-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pre-release.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/pre-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pre-release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/pre-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/proto-lint.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/proto-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/proto-lint.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/proto-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/proto-lint.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/proto-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-version.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/release-version.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-version.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/release-version.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/stale.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-slack-notification.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/test-slack-notification.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/tests.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/tests.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/cometbft/cometbft/tests.yml/main?enable=pin","Warn: containerImage not pinned by hash: DOCKER/Dockerfile:6","Warn: containerImage not pinned by hash: DOCKER/Dockerfile:16","Warn: containerImage not pinned by hash: DOCKER/Dockerfile.testing:1: pin your Docker image by updating golang:latest to golang:latest@sha256:b1e92cfaec83bd942746d4f01ccfb75f877806d6d25305857afff642a92afa52","Warn: containerImage not pinned by hash: spec/ivy-proofs/Dockerfile:2: pin your Docker image by updating debian:buster to debian:buster@sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225","Warn: containerImage not pinned by hash: test/e2e/docker/Dockerfile:3","Warn: containerImage not pinned by hash: test/e2e/docker/Dockerfile:21","Warn: containerImage not pinned by hash: test/e2e/docker/Dockerfile.debug:3","Warn: containerImage not pinned by hash: test/e2e/docker/Dockerfile.debug:21","Warn: containerImage not pinned by hash: test/e2e/docker/Dockerfile.fast:1: pin your Docker image by updating alpine:latest to alpine:latest@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: pipCommand not pinned by hash: spec/ivy-proofs/Dockerfile:31","Warn: goCommand not pinned by hash: test/e2e/docker/Dockerfile.debug:28","Warn: goCommand not pinned by hash: test/fuzz/oss-fuzz-build.sh:16","Warn: goCommand not pinned by hash: .github/workflows/fuzz-nightly.yml:30","Info:   0 out of  52 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  31 third-party GitHubAction dependencies pinned","Info:   1 out of   4 goCommand dependencies pinned","Info:   0 out of   9 containerImage dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 8 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":3,"reason":"7 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2024-3110 / GHSA-jfvp-7x6p-h2pv","Warn: Project is vulnerable to: GHSA-44wm-f244-xhp3","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T20:32:41.467Z","repository_id":65634457,"created_at":"2025-08-17T20:32:41.467Z","updated_at":"2025-08-17T20:32:41.467Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31815080,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"ssl_error","status_checked_at":"2026-04-14T18:05:01.765Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bft","blockchain","cosmos","database","distributed-systems","go","tendermint-consensus"],"created_at":"2024-07-30T20:00:58.054Z","updated_at":"2026-04-14T21:00:58.721Z","avatar_url":"https://github.com/cometbft.png","language":"Go","readme":"\u003cdiv align=\"left\"\u003e\n  \u003ch1\u003e CometBFT \u003c/h1\u003e\n\u003c/div\u003e\n\n![banner](docs/imgs/banner.svg)\n\n[![Version][version-badge]][version-url]\n[![Go version][go-badge]][go-url]\n[![Discord chat][discord-badge]][discord-url]\n[![License][license-badge]][license-url]\n[![Sourcegraph][sg-badge]][sg-url]\n\nCometBFT is the most widely-adopted, battle-tested consensus engine in blockchain today. It is a [Byzantine Fault Tolerant (BFT)](https://en.wikipedia.org/wiki/Byzantine_fault) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines.\n\nCometBFT is highly performant and achieves speeds of up to 10k transactions per second (TPS). Its flagship feature, ABCI++ enables developers to add programmability and customization to every step of the consensus engine.\n\nDevelopers can use CometBFT for BFT state machine replication of applications written in any programming language and development environment. This modularity gives developers flexibility to choose tools and technologies best suited for specific projects, improves maintainability, and delivers the scalability required for large-scale decentralized applications.\n\nCometBFT is a fork of [Tendermint Core][tm-core] and implements the Tendermint consensus algorithm.\n\n## Releases\n\nPlease do not depend on `main` as your production branch. Use [releases](https://github.com/cometbft/cometbft/releases) instead.\n\nMore on how releases are conducted can be found [here](./RELEASES.md).\n\n\n## Minimum requirements\n\n| CometBFT version | Requirement | Notes             |\n|------------------|-------------|-------------------|\n| main             | Go version  | Go 1.23 or higher |\n| v0.38.x          | Go version  | Go 1.22 or higher |\n\n### Install\n\nSee the [install guide](./docs/guides/install.md).\n\n### Quick Start\n\n- [Single node](./docs/guides/quick-start.md)\n- [Local cluster using docker-compose](./docs/networks/docker-compose.md)\n\n## Versioning\n\n### Semantic Versioning\n\nCometBFT uses [Semantic Versioning](http://semver.org/) to determine when and\nhow the version changes.\n\nTo provide some stability to users of 0.X.X versions of CometBFT, the MINOR\nversion is used to signal breaking changes across CometBFT's API. This API\nincludes all publicly exposed types, functions, and methods in non-internal Go\npackages as well as the types and methods accessible via the CometBFT RPC\ninterface.\n\nBreaking changes to these public APIs will be documented in the CHANGELOG.\n\n### Upgrades\n\nIn an effort to avoid accumulating technical debt, we do not\nguarantee that breaking changes (i.e. bumps in the MINOR version) will work with\nexisting CometBFT blockchains. In these cases you will have to start a new\nblockchain, or write something custom to get the old data into the new chain.\nHowever, any bump in the PATCH version should be compatible with existing\nblockchain histories.\n\nFor more information on upgrading, see [UPGRADING.md](./UPGRADING.md).\n\n### Supported Versions\n\nCurrently supported versions include:\n\n- v0.38.x: CometBFT v0.38 introduces ABCI 2.0, which implements the entirety of\n  ABCI++\n\n\n## Developer Community and Support\n\nThe issue list of this repo is exclusively for bug reports and feature requests. We have active, helpful communities on Discord, Telegram, and Slack.\n\n**| Need Help? | Support \u0026 Community: [Discord](https://discord.com/invite/interchain) - [Telegram](https://t.me/CosmosOG) - [Talk to an Expert](https://cosmos.network/interest-form) - [Join the #Cosmos-tech Slack Channel](https://forms.gle/A8jawLgB8zuL1FN36) |**\n\n## Security\n\nTo report a security vulnerability, see the Cosmos [bug bounty program](https://hackerone.com/cosmos). For examples of the kinds of bugs we're looking for, see [our security policy](SECURITY.md).\n\n## Maintainers\n[Cosmos Labs](https://cosmoslabs.io/) maintains the core components of the stack: Cosmos SDK, CometBFT, IBC, Cosmos EVM, and various developer tools and frameworks. The detailed maintenance policy can be found [here](https://github.com/cosmos/security/blob/main/POLICY.md). In addition to developing and maintaining the Cosmos Stack, Cosmos Labs provides advisory and engineering services for blockchain solutions. [Get in touch with Cosmos Labs](https://www.cosmoslabs.io/contact).\n\nCosmos Labs is a wholly-owned subsidiary of the [Interchain Foundation](https://interchain.io/), the Swiss nonprofit responsible for treasury management, funding public goods, and supporting governance for Cosmos.\n\nThe Cosmos Stack is supported by a robust community of open-source contributors.\n\n## Contributing\n\nIf you are interested in working on an issue, please comment on it, and take a look at the [contributing guidelines](./CONTRIBUTING.md). We welcome and appreciate community contributions!\n\n## Documentation and Resources\n\n### Documentation\n- [CometBFT Documentation](https://docs.cometbft.com/v0.38/)\n- [CometBFT Specification](./spec/README.md)\n- [Documentation](./docs/)\n\n### Cosmos Stack Libraries\n\n- [Cosmos SDK](http://github.com/cosmos/cosmos-sdk) - A framework for building\n  applications in Golang\n- [The Inter-Blockchain Communication Protocol (IBC)](https://github.com/cosmos/ibc-go/) - A blockchain interoperability protocol that allows blockchains to transfer any type of data encoded in bytes.\n- [Cosmos EVM](https://github.com/cosmos/evm) - Native EVM layer for Cosmos SDK chains.\n\n### Research\n\nBelow are links to the original Tendermint consensus algorithm and relevant\nwhitepapers which CometBFT will continue to build on.\n\n- [The latest gossip on BFT consensus](https://arxiv.org/abs/1807.04938)\n- [Master's Thesis on Tendermint](https://atrium.lib.uoguelph.ca/xmlui/handle/10214/9769)\n- [Original Whitepaper: \"Tendermint: Consensus Without Mining\"](https://tendermint.com/static/docs/tendermint.pdf)\n\n\n\n[bft]: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance\n[smr]: https://en.wikipedia.org/wiki/State_machine_replication\n[Blockchain]: https://en.wikipedia.org/wiki/Blockchain\n[version-badge]: https://img.shields.io/github/v/release/cometbft/cometbft.svg\n[version-url]: https://github.com/cometbft/cometbft/releases/latest\n[api-badge]: https://camo.githubusercontent.com/915b7be44ada53c290eb157634330494ebe3e30a/68747470733a2f2f676f646f632e6f72672f6769746875622e636f6d2f676f6c616e672f6764646f3f7374617475732e737667\n[api-url]: https://pkg.go.dev/github.com/cometbft/cometbft\n[go-badge]: https://img.shields.io/badge/go-1.22-blue.svg\n[go-url]: https://github.com/moovweb/gvm\n[discord-badge]: https://img.shields.io/discord/669268347736686612.svg\n[discord-url]: https://discord.gg/interchain\n[license-badge]: https://img.shields.io/github/license/cometbft/cometbft.svg\n[license-url]: https://github.com/cometbft/cometbft/blob/main/LICENSE\n[sg-badge]: https://sourcegraph.com/github.com/cometbft/cometbft/-/badge.svg\n[sg-url]: https://sourcegraph.com/github.com/cometbft/cometbft?badge\n[tests-url]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml\n[tests-url-v038x]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml?query=branch%3Av0.38.x\n[tests-url-v037x]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml?query=branch%3Av0.37.x\n[tests-url-v034x]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml?query=branch%3Av0.34.x\n[tests-badge]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml/badge.svg?branch=main\n[tests-badge-v038x]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml/badge.svg?branch=v0.38.x\n[tests-badge-v037x]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml/badge.svg?branch=v0.37.x\n[tests-badge-v034x]: https://github.com/cometbft/cometbft/actions/workflows/tests.yml/badge.svg?branch=v0.34.x\n[lint-badge]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml/badge.svg?branch=main\n[lint-badge-v034x]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml/badge.svg?branch=v0.34.x\n[lint-badge-v037x]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml/badge.svg?branch=v0.37.x\n[lint-badge-v038x]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml/badge.svg?branch=v0.38.x\n[lint-url]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml\n[lint-url-v034x]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml?query=branch%3Av0.34.x\n[lint-url-v037x]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml?query=branch%3Av0.37.x\n[lint-url-v038x]: https://github.com/cometbft/cometbft/actions/workflows/lint.yml?query=branch%3Av0.38.x\n[tm-core]: https://github.com/tendermint/tendermint\n","funding_links":[],"categories":["Blockchain","Core Components","CometBFT","区块链","Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcometbft%2Fcometbft","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcometbft%2Fcometbft","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcometbft%2Fcometbft/lists"}