TL;DR, What is OpenSSF Scorecard?
OpenSSF Scorecard is an automated tool that assesses the security of open-source projects.
Many development teams struggle to check the security of their open-source dependencies, leaving them open to risks from unmaintained projects. Scorecard automates this review by checking repositories against known security best practices. The tool generates a score from 0-10, giving your team clear data to make better decisions about which dependencies to use and how to manage risk.
The Open Source Security Foundation (OpenSSF) created the tool in collaboration with Google and launched it in 2020 to make open-source security more transparent.
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.
At-A-Glance
GitHub: https://github.com/ossf/scorecard
License: Apache-2.0
Primary Language: Go
Stars: 5.1k ⭐
Last Release: v5.2.1 on May 30, 2024
Topics/Tags: security, supply-chain-security, security-audits, security-metrics, open-source-security
Common use cases
1. Proactive Dependency Security Vetting: Your team can use Scorecard to evaluate the security of third-party libraries and dependencies before adding them to a project. Analyzing a dependency's score and check results helps you avoid adding components with weak security practices or known risks.
2. Continuous Security Monitoring: When integrated into CI/CD pipelines through its GitHub Action, Scorecard automatically scans your project's repository on every code change. The action gives you constant visibility into your security, alerting developers right away if practices slip and helping you maintain a consistent security level.
3. Enterprise-Wide Risk Management: Security teams use Scorecard's batch processing to run large-scale checks across their organization's entire portfolio of software projects. You can use the aggregated data to find organization-wide risks, focus fixes on the most vulnerable repositories, and generate compliance reports.
4. Automated Supply Chain Governance: You can build Scorecard into your dependency management workflows to enforce security policies automatically. By setting minimum score thresholds or rules based on specific check results, you can programmatically approve, flag, or block dependencies that fail to meet your security standards.
5. Open-Source Ecosystem Analysis: Researchers and security analysts use Scorecard’s public dataset to identify widespread security trends and systemic risks within the open-source community. The resulting data helps shape security initiatives and gives organizations a better understanding of the wider threat landscape.
How does OpenSSF Scorecard work?
OpenSSF Scorecard assesses a repository against a suite of security checks. The process starts when you target a repository using the CLI or a GitHub Action. Scorecard's central check engine then runs multiple security checks at once, gathering evidence from the repository’s history and configuration. A final score aggregates the results, which you can export in formats like JSON or SARIF for easy use with your other tools.
Modular Check Engine: The core component runs individual check modules in parallel. Each module implements a specific security heuristic, like verifying branch protection, code review policies, or SAST tool usage.
Detailed Data Collection: Checks query repository APIs to gather evidence from different sources like commit history, dependency manifests, workflow files, and project settings to build a complete security picture.
Aggregated Scoring & Output: Scorecard aggregates results from individual checks using a weighted scoring algorithm. You can get the final report in multiple formats to integrate with security dashboards and policy enforcement tools.
The Secure Coding Best Practices [Cheat Sheet]
With curated insights and easy-to-follow code snippets, this 11-page cheat sheet simplifies complex security concepts, empowering every developer to build secure, reliable applications.
Core Capabilities
1. Automated Security Checks: Scorecard runs more than 18 automated checks to evaluate software supply chain security. The tool analyzes repository metadata for key indicators like code review enforcement, dependency pinning, branch protection, and SAST integration. Each check provides a 0-10 score with detailed findings and fix guidance, giving you a clear view of a project's security based on established best practices.
2. Multi-Platform and Local Repository Support: You can get consistent security assessments across different development environments because Scorecard supports repositories on GitHub, GitLab, and local Git instances. A platform-agnostic design means Scorecard applies the same security checks everywhere, helping you maintain a single, standard approach to security monitoring for both internal projects and third-party dependencies.
3. Customizable Policies and Structured Results: Scorecard delivers granular, structured results for each check, which empowers your organization to implement custom security policies beyond the default scoring. Teams can programmatically analyze detailed findings to create specific governance rules that align with their risk tolerance and compliance needs. This flexibility allows you to create a risk assessment that prioritizes security practices based on what's important to your organization.
4. CI/CD and Workflow Integration: Designed for automation, Scorecard fits directly into your development workflows through a dedicated GitHub Action and a flexible CLI. The GitHub Action provides continuous security feedback on every code change, publishing SARIF results for dashboard integration. Integrating security checks early in the CI/CD pipeline helps your teams find and fix security gaps automatically.
5. Enterprise-Scale Assessment and Analytics: Scorecard is built to work at scale, supporting batch processing of thousands of repositories. You can integrate it with analytics platforms like Google BigQuery to monitor security trends across your entire software portfolio and dependency ecosystem. Analyzing data at this scale helps your organization make better-informed decisions for risk management and security governance programs.
Limitations
1. Heuristic-Based Analysis: The tool's checks rely on heuristics and metadata analysis rather than deep code inspection. Because Scorecard's checks rely on metadata, the tool may not capture more complex security vulnerabilities.
2. Potential for False Positives/Negatives: Since checks rely on detectable patterns (e.g., file names, commit messages), they can be gamed or misinterpret unconventional development practices, leading to inaccurate scores or misleading security assessments.
3. Limited Dynamic Analysis: Scorecard focuses only on static repository artifacts and metadata. The tool does not perform any dynamic analysis, runtime checks, or penetration testing, so it can miss vulnerabilities that only appear during execution.
4. Requires Repository Access: To perform a complete scan, the tool requires read access to repository metadata and, for some checks, content. The access requirement may be a barrier to assessing closed-source or private projects.
5. Focus on Process over Implementation: The tool excels at verifying if security processes are in place (e.g., code reviews, SAST tools) but cannot validate the quality or effectiveness of their implementation, such as how thorough a code review was.
If you're using OpenSSF Scorecard to assess the security hygiene of your dependencies, you can prioritize the results with Wiz. OpenSSF Scorecard provides a great baseline of a project's security practices, but Wiz adds the missing cloud context—showing you how a vulnerability from a dependency creates an actual attack path to your critical assets.
Getting Started:
Step 1: Install Go (required for standalone install). Follow instructions at https://golang.org/doc/install.
Step 2: Download Scorecard. Either use Docker by running:
docker pull gcr.io/openssf/scorecard:stableOr use Homebrew:
brew install scorecardOr download the zip from https://github.com/ossf/scorecard/releases/latest and place the binary in your GOPATH/bin.
Step 3: Authenticate to avoid GitHub API rate limits. Create a GitHub personal access token and set it via:
export GITHUB_AUTH_TOKEN=your_tokenStep 4: Run Scorecard on a repository. For example:
scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2eOr using Docker:
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecardFAQ
Alternatives
| Feature | OpenSSF Scorecard | CloudCustodian | Open Policy Agent (OPA) | Allstar |
|---|---|---|---|---|
| Primary Focus | Automated security health metrics for open-source projects | Cloud security and policy enforcement | Unified policy enforcement across the cloud-native stack | End-to-end Kubernetes security (configuration, vulnerabilities, runtime) |
| Scope | GitHub, GitLab, and local Git repositories | AWS, Azure, Google Cloud | Kubernetes, microservices, CI/CD pipelines, and more | Kubernetes clusters, manifests, and Helm Charts |
| Policy Language | Pre-defined checks with customizable scoring | YAML-based policy language | Rego (a declarative policy language) | Uses OPA for custom policies but also has built-in checks |
| Integration | GitHub Action, CLI, BigQuery | CLI, serverless functions | Library, API, sidecar proxy | CLI, IDE extensions (VSCode, Lens), CI/CD integrations |
| Key Features | Automated checks for security best practices, CI/CD integration, structured results for custom policies, large-scale assessment | Real-time compliance, automated remediation, cost management | Decoupled policy from application code, context-aware policies | Configuration and vulnerability scanning, policy and compliance enforcement, network policy and seccomp validation, runtime threat detection |