{"id":13716686,"url":"https://github.com/paketo-buildpacks/sbt","last_synced_at":"2026-02-20T00:09:38.669Z","repository":{"id":39794634,"uuid":"256617330","full_name":"paketo-buildpacks/sbt","owner":"paketo-buildpacks","description":"A Cloud Native Buildpack that builds SBT-based applications from source","archived":false,"fork":false,"pushed_at":"2026-02-06T14:58:33.000Z","size":750,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-02-06T22:27:33.589Z","etag":null,"topics":["build-system","cnb","jvm-applications","sbt"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/paketo-buildpacks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-17T21:52:35.000Z","updated_at":"2026-02-06T14:58:19.000Z","dependencies_parsed_at":"2023-10-16T23:57:53.648Z","dependency_job_id":"1c246e6e-7584-4573-8abf-ef718b496694","html_url":"https://github.com/paketo-buildpacks/sbt","commit_stats":{"total_commits":367,"total_committers":14,"mean_commits":"26.214285714285715","dds":0.5831062670299727,"last_synced_commit":"b6bda639ce9e29eeccb0b36d364da6ea34dcd334"},"previous_names":[],"tags_count":117,"template":false,"template_full_name":null,"purl":"pkg:github/paketo-buildpacks/sbt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paketo-buildpacks%2Fsbt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paketo-buildpacks%2Fsbt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paketo-buildpacks%2Fsbt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paketo-buildpacks%2Fsbt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/paketo-buildpacks","download_url":"https://codeload.github.com/paketo-buildpacks/sbt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/paketo-buildpacks%2Fsbt/sbom","scorecard":{"id":718076,"data":{"date":"2025-08-11","repo":{"name":"github.com/paketo-buildpacks/sbt","commit":"fc707e30ef436ac8653a7cf3a1bd6af0e51b1ab1"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.6,"checks":[{"name":"Maintained","score":10,"reason":"26 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/pb-create-package.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-minimal-labels.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-synchronize-labels.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-tests.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-update-draft-release.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-update-go.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-update-pipeline.yml:1","Warn: no topLevel permission defined: .github/workflows/pb-update-sbt.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-create-package.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-create-package.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-minimal-labels.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-minimal-labels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-minimal-labels.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-minimal-labels.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-synchronize-labels.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-synchronize-labels.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-synchronize-labels.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-synchronize-labels.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:179: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:180: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-tests.yml:185: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-tests.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-draft-release.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-draft-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-draft-release.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-draft-release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-draft-release.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-draft-release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-go.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-go.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-go.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-go.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-go.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-pipeline.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-pipeline.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-pipeline.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-pipeline.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-pipeline.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-pipeline.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-sbt.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-sbt.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-sbt.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-sbt.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pb-update-sbt.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-sbt.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-sbt.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-sbt.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pb-update-sbt.yml:92: update your workflow using https://app.stepsecurity.io/secureworkflow/paketo-buildpacks/sbt/pb-update-sbt.yml/main?enable=pin","Warn: goCommand not pinned by hash: .github/workflows/pb-create-package.yml:28","Warn: goCommand not pinned by hash: .github/workflows/pb-tests.yml:27","Warn: goCommand not pinned by hash: .github/workflows/pb-update-pipeline.yml:26","Warn: goCommand not pinned by hash: .github/workflows/pb-update-sbt.yml:21","Info:   0 out of  17 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  15 third-party GitHubAction dependencies pinned","Info:   1 out of   5 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/paketo-buildpacks/.github/SECURITY.md:1","Info: Found linked content: github.com/paketo-buildpacks/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/paketo-buildpacks/.github/SECURITY.md:1","Info: Found text in security policy: github.com/paketo-buildpacks/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T10:19:45.958Z","repository_id":39794634,"created_at":"2025-08-22T10:19:45.958Z","updated_at":"2025-08-22T10:19:45.958Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29510525,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T09:05:14.864Z","status":"ssl_error","status_checked_at":"2026-02-16T08:55:59.364Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["build-system","cnb","jvm-applications","sbt"],"created_at":"2024-08-03T00:01:13.334Z","updated_at":"2026-02-16T15:03:26.680Z","avatar_url":"https://github.com/paketo-buildpacks.png","language":"Go","funding_links":[],"categories":["[Paketo Buildpacks](https://paketo.io/)"],"sub_categories":["Provides buildpacks for:"],"readme":"# Paketo Buildpack for Encrypt at Rest\n\n## Buildpack ID: `paketo-buildpacks/sbt`\n## Registry URLs: `docker.io/paketobuildpacks/sbt`\n\nThe Paketo Buildpack for SBT is a Cloud Native Buildpack that builds SBT-based applications from source.\n\n## Behavior\n\nThis buildpack will participate all the following conditions are met\n\n* `\u003cAPPLICATION_ROOT\u003e/build.sbt` exists\n\nThe buildpack will do the following:\n\n* Requests that a JDK be installed\n* Links the `~/.sbt` to a layer for caching\n* If `\u003cAPPLICATION_ROOT\u003e/sbt` exists\n  * Runs `\u003cAPPLICATION_ROOT\u003e/sbt universal:packageBin` to build the application\n* If `\u003cAPPLICATION_ROOT\u003e/sbt` does not exist\n  * Contributes SBT to a layer with all commands on `$PATH`\n  * Runs `\u003cSBT_ROOT\u003e/bin/sbt package` to build the application\n* Removes the source code in `\u003cAPPLICATION_ROOT\u003e`, following include/exclude rules\n* If `$BP_SBT_BUILT_ARTIFACT` matched a single file\n  * Restores `$BP_SBT_BUILT_ARTIFACT` from the layer, expands the single file to `\u003cAPPLICATION_ROOT\u003e`\n* If `$BP_SBT_BUILT_ARTIFACT` matched a directory or multiple files\n  * Restores the files matched by `$BP_SBT_BUILT_ARTIFACT` to `\u003cAPPLICATION_ROOT\u003e`\n\n## Configuration\n\n| Environment Variable      | Description                                                                                                                                                                                                                        |\n| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `$BP_SBT_BUILD_ARGUMENTS` | Configure the arguments to pass to build system. Defaults to `universal:packageBin`.                                                                                                                                               |\n| `$BP_SBT_BUILT_MODULE`    | Configure the module to find application artifact in. Defaults to the root module (empty).                                                                                                                                         |\n| `$BP_SBT_BUILT_ARTIFACT`  | Configure the built application artifact explicitly. Supersedes `$BP_SBT_BUILT_MODULE`. Defaults to `target/universal/*.zip`. Can match a single file, multiple files or a directory. Can be one or more space separated patterns. |\n| `$BP_SBT_REPOSITORIES_FILE` | Specifies a custom location to SBT's `repositories` file. |\n| `$BP_INCLUDE_FILES`         | Colon separated list of glob patterns to match source files. Any matched file will be retained in the final image. Defaults to `` (i.e. nothing).                                                                                               |\n| `$BP_EXCLUDE_FILES`         | Colon separated list of glob patterns to match source files. Any matched file will be specifically removed from the final image. If include patterns are also specified, then they are applied first and exclude patterns can be used to further reduce the fileset. |\n\n## Bindings\n\nThe buildpack optionally accepts the following bindings:\n\n### Type: `dependency-mapping`\n\n| Key                   | Value   | Description                                                                                       |\n| --------------------- | ------- | ------------------------------------------------------------------------------------------------- |\n| `\u003cdependency-digest\u003e` | `\u003curi\u003e` | If needed, the buildpack will fetch the dependency with digest `\u003cdependency-digest\u003e` from `\u003curi\u003e` |\n\n## License\n\nThis buildpack is released under version 2.0 of the [Apache License][a].\n\n[a]: http://www.apache.org/licenses/LICENSE-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaketo-buildpacks%2Fsbt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpaketo-buildpacks%2Fsbt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpaketo-buildpacks%2Fsbt/lists"}