Home

Image represents a media kit with boilerplate, logos and more

Developer Guide

OpenSSF Scorecard

The OpenSSF Scorecard, created by the Open Source Security Foundation (OpenSSF), assesses software security practices to help improve and evaluate the safety of open source packages.

What is the OpenSSF Scorecard?

The OpenSSF Scorecard project was created by the Open Source Security Foundation (OpenSSF), a collaborative group of leaders in technology and cybersecurity looking to help secure the open source software supply chain. The aim of the scorecard project is to help open source maintainers improve their security best practices and to help open source consumers assess whether the packages they are using are safe. 

How the OpenSSF Scorecard works

The scorecard is an automated tool that assesses a number of important heuristics (“checks”) associated with software security and assigns each check a score of 0-10, as well as an overall top-level 0–10 score. The team behind the scorecard runs a regular analysis against millions of the most critical open source projects and publishes the resulting scores in a BigQuery public dataset.

What are the OpenSSF checks?

Scores are assigned based on defined software security checks and are under the following categories:

  • Holistic security practices
    • Code vulnerabilities
    • Maintenance
    • Continuous testing
  • Source risk assessment
  • Build risk assessment

Source: securityscorecards.dev

OpenSSF scorecard benefits

For maintainers

The OpenSSF provides an outline of security checks that help to better measure the security of your open source against industry-recommended security standards. Improving your OpenSSF scorecard score also signals to prospective users that your project is safe, resulting in more usage and downloads. 

For open source consumers

Using open source packages that have been evaluated and scored against the OpenSSF scorecard helps teams learn more about the quality of the open source in their packages and helps teams make better decisions about the open source in use at their organization. This proactive approach is a key step organizations can make towards open source vulnerability management

To learn more about the OpenSSF scorecard and how Tidelift partners with—and pays—open source maintainers to uphold a set of secure development practices that increase their scores on the OpenSSF Scorecard, follow this link to Tidelift’s OpenSSF scorecard documentation

  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin
language switcher
简体中文 (Simplified Chinese)
  • 法律文件
  • 信任中心

© 2008-2024 SonarSource SA。保留所有权利。SONAR、SONARSOURCE、SONARQUBE、 和 CLEAN AS YOU CODE 是 SonarSource SA 的商标。