Introduction
Scorecard is an OpenSSF project that evaluates open source repositories against a curated set of security checks. It assigns a 0-10 score per check covering areas like branch protection, dependency pinning, and CI/CD practices, helping teams make informed decisions about supply chain trust.
What Scorecard Does
- Runs automated security checks against GitHub and GitLab repositories
- Evaluates branch protection, code review, vulnerability disclosure, and more
- Generates machine-readable JSON or human-readable output
- Integrates into CI/CD pipelines via GitHub Actions
- Powers the OpenSSF Scorecard BigQuery dataset for ecosystem-wide analysis
Architecture Overview
Scorecard is a Go CLI that authenticates with the GitHub or GitLab API, retrieves repository metadata (branch rules, CI configs, dependency files, commit history), and runs a series of check functions. Each check probes a specific security practice and returns a score from 0 to 10 along with remediation guidance. Results can be exported as JSON, SARIF, or printed to the console.
Self-Hosting & Configuration
- Install via Go, Homebrew, or download release binaries
- Set GITHUB_AUTH_TOKEN for authenticated API access and higher rate limits
- Run in CI with the official scorecard-action GitHub Action
- Filter specific checks with --checks flag to focus on relevant areas
- Export results in SARIF format for integration with GitHub code scanning
Key Features
- 20+ automated checks covering dependency management, CI/CD, and project governance
- SARIF output integrates with GitHub Advanced Security code scanning alerts
- Supports both GitHub and GitLab repositories
- Provides actionable remediation steps for each failed check
- Batch scanning capability for evaluating multiple repositories
Comparison with Similar Tools
- Snyk — commercial vulnerability scanner focused on dependency CVEs; Scorecard evaluates project security practices holistically
- Dependabot — automates dependency updates; Scorecard assesses whether pinning and update practices are in place
- FOSSA — license compliance and security; Scorecard focuses on supply chain hygiene rather than license scanning
- Trivy — scans container images and filesystems for vulnerabilities; Scorecard evaluates repository-level security posture
- Socket — monitors package behavior at install time; Scorecard checks project governance and maintenance practices
FAQ
Q: What does a Scorecard score of 7 mean? A: Each check is scored 0-10. A score of 7 on a check means the project follows most but not all best practices for that category.
Q: Can I run Scorecard on private repositories? A: Yes, as long as you provide a token with appropriate access. Results stay local and are not shared publicly.
Q: How often should I run Scorecard? A: Running it in CI on each pull request or weekly ensures you catch regressions in security practices.
Q: Does Scorecard find CVEs in my code? A: No. Scorecard evaluates project hygiene (branch protection, code review, dependency pinning) rather than scanning for specific vulnerabilities.