What is the OpenSSF Scorecard?
The OpenSSF Scorecard project was created by the Open Source Security Foundation (OpenSSF), a collaborative group of leaders in technology and cybersecurity looking to help secure the open source software supply chain. The aim of the scorecard project is to help open source maintainers improve their security best practices and to help open source consumers assess whether the packages they are using are safe.
How the OpenSSF Scorecard works
The scorecard is an automated tool that assesses a number of important heuristics (“checks”) associated with software security and assigns each check a score of 0-10, as well as an overall top-level 0–10 score. The team behind the scorecard runs a regular analysis against millions of the most critical open source projects and publishes the resulting scores in a BigQuery public dataset.
What are the OpenSSF checks?
Scores are assigned based on defined software security checks and are under the following categories:
- Holistic security practices
- Code vulnerabilities
- Maintenance
- Continuous testing
- Source risk assessment
- Build risk assessment
Source: securityscorecards.dev
OpenSSF scorecard benefits
For maintainers
The OpenSSF provides an outline of security checks that help to better measure the security of your open source against industry-recommended security standards. Improving your OpenSSF scorecard score also signals to prospective users that your project is safe, resulting in more usage and downloads.
For open source consumers
Using open source packages that have been evaluated and scored against the OpenSSF scorecard helps teams learn more about the quality of the open source in their packages and helps teams make better decisions about the open source in use at their organization. This proactive approach is a key step organizations can make towards open source vulnerability management.
To learn more about the OpenSSF scorecard and how Tidelift partners with—and pays—open source maintainers to uphold a set of secure development practices that increase their scores on the OpenSSF Scorecard, follow this link to Tidelift’s OpenSSF scorecard documentation.