# OpenSSF Scorecard — Security Health Metrics for Open Source > OpenSSF Scorecard automatically assesses open source projects against a set of security best practices, producing a score that helps maintainers and consumers understand supply chain risk. ## Install Save as a script file and run: # OpenSSF Scorecard — Security Health Metrics for Open Source ## Quick Use ```bash go install github.com/ossf/scorecard/v5/cmd/scorecard@latest # Score any public GitHub repository scorecard --repo=github.com/ossf/scorecard ``` ## Introduction Scorecard is an OpenSSF project that evaluates open source repositories against a curated set of security checks. It assigns a 0-10 score per check covering areas like branch protection, dependency pinning, and CI/CD practices, helping teams make informed decisions about supply chain trust. ## What Scorecard Does - Runs automated security checks against GitHub and GitLab repositories - Evaluates branch protection, code review, vulnerability disclosure, and more - Generates machine-readable JSON or human-readable output - Integrates into CI/CD pipelines via GitHub Actions - Powers the OpenSSF Scorecard BigQuery dataset for ecosystem-wide analysis ## Architecture Overview Scorecard is a Go CLI that authenticates with the GitHub or GitLab API, retrieves repository metadata (branch rules, CI configs, dependency files, commit history), and runs a series of check functions. Each check probes a specific security practice and returns a score from 0 to 10 along with remediation guidance. Results can be exported as JSON, SARIF, or printed to the console. ## Self-Hosting & Configuration - Install via Go, Homebrew, or download release binaries - Set GITHUB_AUTH_TOKEN for authenticated API access and higher rate limits - Run in CI with the official scorecard-action GitHub Action - Filter specific checks with --checks flag to focus on relevant areas - Export results in SARIF format for integration with GitHub code scanning ## Key Features - 20+ automated checks covering dependency management, CI/CD, and project governance - SARIF output integrates with GitHub Advanced Security code scanning alerts - Supports both GitHub and GitLab repositories - Provides actionable remediation steps for each failed check - Batch scanning capability for evaluating multiple repositories ## Comparison with Similar Tools - **Snyk** — commercial vulnerability scanner focused on dependency CVEs; Scorecard evaluates project security practices holistically - **Dependabot** — automates dependency updates; Scorecard assesses whether pinning and update practices are in place - **FOSSA** — license compliance and security; Scorecard focuses on supply chain hygiene rather than license scanning - **Trivy** — scans container images and filesystems for vulnerabilities; Scorecard evaluates repository-level security posture - **Socket** — monitors package behavior at install time; Scorecard checks project governance and maintenance practices ## FAQ **Q: What does a Scorecard score of 7 mean?** A: Each check is scored 0-10. A score of 7 on a check means the project follows most but not all best practices for that category. **Q: Can I run Scorecard on private repositories?** A: Yes, as long as you provide a token with appropriate access. Results stay local and are not shared publicly. **Q: How often should I run Scorecard?** A: Running it in CI on each pull request or weekly ensures you catch regressions in security practices. **Q: Does Scorecard find CVEs in my code?** A: No. Scorecard evaluates project hygiene (branch protection, code review, dependency pinning) rather than scanning for specific vulnerabilities. ## Sources - https://github.com/ossf/scorecard - https://scorecard.dev --- Source: https://tokrepo.com/en/workflows/6f58c192-3c0d-11f1-9bc6-00163e2b0d79 Author: Script Depot