OpenSSF Scorecard — Security Health Metrics for Open Source

Introduction

Scorecard is an OpenSSF project that evaluates open source repositories against a curated set of security checks. It assigns a 0-10 score per check covering areas like branch protection, dependency pinning, and CI/CD practices, helping teams make informed decisions about supply chain trust.

What Scorecard Does

• Runs automated security checks against GitHub and GitLab repositories
• Evaluates branch protection, code review, vulnerability disclosure, and more
• Generates machine-readable JSON or human-readable output
• Integrates into CI/CD pipelines via GitHub Actions
• Powers the OpenSSF Scorecard BigQuery dataset for ecosystem-wide analysis

Architecture Overview

Scorecard is a Go CLI that authenticates with the GitHub or GitLab API, retrieves repository metadata (branch rules, CI configs, dependency files, commit history), and runs a series of check functions. Each check probes a specific security practice and returns a score from 0 to 10 along with remediation guidance. Results can be exported as JSON, SARIF, or printed to the console.

Self-Hosting & Configuration

• Install via Go, Homebrew, or download release binaries
• Set GITHUB_AUTH_TOKEN for authenticated API access and higher rate limits
• Run in CI with the official scorecard-action GitHub Action
• Filter specific checks with --checks flag to focus on relevant areas
• Export results in SARIF format for integration with GitHub code scanning

Key Features

• 20+ automated checks covering dependency management, CI/CD, and project governance
• SARIF output integrates with GitHub Advanced Security code scanning alerts
• Supports both GitHub and GitLab repositories
• Provides actionable remediation steps for each failed check
• Batch scanning capability for evaluating multiple repositories

Comparison with Similar Tools

• Snyk — commercial vulnerability scanner focused on dependency CVEs; Scorecard evaluates project security practices holistically
• Dependabot — automates dependency updates; Scorecard assesses whether pinning and update practices are in place
• FOSSA — license compliance and security; Scorecard focuses on supply chain hygiene rather than license scanning
• Trivy — scans container images and filesystems for vulnerabilities; Scorecard evaluates repository-level security posture
• Socket — monitors package behavior at install time; Scorecard checks project governance and maintenance practices

FAQ

Q: What does a Scorecard score of 7 mean? A: Each check is scored 0-10. A score of 7 on a check means the project follows most but not all best practices for that category.

Q: Can I run Scorecard on private repositories? A: Yes, as long as you provide a token with appropriate access. Results stay local and are not shared publicly.

Q: How often should I run Scorecard? A: Running it in CI on each pull request or weekly ensures you catch regressions in security practices.

Q: Does Scorecard find CVEs in my code? A: No. Scorecard evaluates project hygiene (branch protection, code review, dependency pinning) rather than scanning for specific vulnerabilities.

Sources

• https://github.com/ossf/scorecard
• https://scorecard.dev