MCPcopy
hub / github.com/ossf/scorecard

github.com/ossf/scorecard @v5.5.0 sqlite

repository ↗ · DeepWiki ↗ · release v5.5.0 ↗
2,699 symbols 10,273 edges 593 files 949 documented · 35%
README

OpenSSF Scorecard

OpenSSF Scorecard OpenSSF Best Practices build CodeQL Go Reference Go Report Card codecov SLSA 3 Slack

Overview

Using Scorecard

Checks

Other Important Recommendations

Scoring

Contribute

FAQ

Overview

What is Scorecard?

We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.

Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

The inspiration for Scorecard’s logo: "You passed! All D's ... and an A!"

Project Goals

  1. Automate analysis and trust decisions on the security posture of open source projects.

  2. Use this data to proactively improve the security posture of the critical projects the world depends on.

  3. Act as a measurement tool for existing policies

    If OSS consumers require certain behaviors from their dependencies, Scorecard can be used to measure those. With the V5 release, we see Structured Results as a way of doing this if there is a supported analysis. Instead of relying on an aggregate score of X/10, or a Maintained score of Y/10, an OSS consumer may want to ensure the repo they're depending on isn't archived (which is covered by the archived probe). The OpenSSF takes this approach with its own Security Baseline for projects.

Project Non-Goals

  1. To be a definitive report or requirement that all projects should follow.

    Scorecard is not intended to be a one-size-fits-all solution. Every step of making our results is opinionated: what checks get included or excluded, the importance of each check, and how scores are calculated. The checks themselves are heuristics; there are false positives and false negatives.

    Whether it’s due to applicability, or feasibility, or a matter of opinion, what's included or excluded from Scorecard results leads to a lot of discussion. It’s impossible to create a Scorecard that satisfies everyone because different audiences will care about different subsets of behavior.

    Aggregate scores in particular tells you nothing about what individual behaviors a repository is or is not doing. Many check scores are aggregated into a single score, and there’s multiple ways of arriving at the same score. These scores change as we add new heuristics or refine the existing ones.

Prominent Scorecard Users

Scorecard has been run on thousands of projects to monitor and track security metrics. Prominent projects that use Scorecard include:

View a Project's Score

To see scores for projects regularly scanned by Scorecard, navigate to the webviewer. You can also replace the placeholder text (platform, user/org, and repository name) in the following template link to generate a custom Scorecard link for a repo: https://scorecard.dev/viewer/?uri=<github_or_gitlab>.com/<user_name_or_org>/<repository_name>

For example: - https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard - https://scorecard.dev/viewer/?uri=gitlab.com/fdroid/fdroidclient

To view scores for projects not included in the webviewer, use the Scorecard CLI.

Public Data

We run a weekly Scorecard scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a BigQuery public dataset.

This data is available in the public BigQuery dataset openssf:scorecardcron.scorecard-v2. The latest results are available in the BigQuery view openssf:scorecardcron.scorecard-v2_latest.

You can query the data using BigQuery Explorer by navigating to Add Data > Star a project by name > 'openssf'. For example, you may be interested in how a project's score has changed over time:

SELECT date, score FROM `openssf.scorecardcron.scorecard-v2` WHERE repo.name="github.com/ossf/scorecard" ORDER BY date ASC

You can extract the latest results to Google Cloud storage in JSON format using the bq tool:

# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'

# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename-*.json

The list of projects that are checked is available in the cron/internal/data/projects.csv file in this repository. If you would like us to track more, please feel free to send a Pull Request with others. Currently, this list is derived from projects hosted on GitHub ONLY. We do plan to expand them in near future to account for projects hosted on other source control systems.

Using Scorecard

Scorecard GitHub Action

The easiest way to use Scorecard on GitHub projects you own is with the Scorecard GitHub Action. The Action runs on any repository change and issues alerts that maintainers can view in the repository’s Security tab. For more information, see the Scorecard GitHub Action installation instructions.

Scorecard REST API

To query pre-calculated scores of OSS projects, use the REST API. Scores calculated from our weekly scan omit the CI-Tests, Contributors, and Dependency-Update-Tool checks due to the API costs associated with running them at scale.

API results are cached with a CDN (thanks to Fastly and their Fast Forward program). Results are purged from the CDN when new results are available, but if you notice issues with stale data, please open an issue.

To enable your project to be available on the REST API, set publish_results: true in the Scorecard GitHub Action setting.

Data provided by the REST API is licensed under the CDLA Permissive 2.0.

Scorecard Badges

Enabling publish_results: true in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their hard work. This badge also auto-updates for every change made to the repository. See more details on this OSSF blogpost.

To include a badge on your project's repository, simply add the following markdown to your README:

[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/{owner}/{repo}/badge)](https://scorecard.dev/viewer/?uri=github.com/{owner}/{repo})

Scorecard Command Line Interface

To run a Scorecard scan on projects you do not own, use the command line interface installation option.

Prerequisites

Platforms: Currently, Scorecard supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome.

Language: You must have GoLang installed to run Scorecard (https://golang.org/doc/install)

Installation

Docker

scorecard is available as a Docker container:

docker pull ghcr.io/ossf/scorecard:latest

To use a specific scorecard version (e.g., v3.2.1), run:

docker pull ghcr.io/ossf/scorecard:v3.2.1
Standalone

To install Scorecard as a standalone:

Visit our latest release page and download the correct zip file for your operating system.

Add the binary to your GOPATH/bin directory (use go env GOPATH to identify your directory if necessary).

Verifying SLSA provenance for downloaded releases

We generate SLSA3 signatures using the OpenSSF's slsa-framework/slsa-github-generator during the release process. To verify a release binary: 1. Install the verification tool from slsa-framework/slsa-verifier#installation. 2. Download the signature file attestation.intoto.jsonl from the GitHub releases page. 3. Run the verifier:

slsa-verifier -artifact-path <the-zip> -provenance attestation.intoto.jsonl -source github.com/ossf/scorecard -tag <the-tag>
Using package managers
Package Manager Supported Distribution Command
Nix NixOS nix-shell -p nixpkgs.scorecard
AUR helper Arch Linux Use your AUR helper to install scorecard
Homebrew macOS or Linux brew install scorecard

Authentication

GitHub imposes api rate limits on unauthenticated requests. To avoid these limits, you must authenticate your requests before running Scorecard. There are two ways to authenticate your requests: either create a GitHub personal access token, or create a GitHub App Installation.

  • Create a classic GitHub personal access token. When creating the personal access token, we suggest you choose the public_repo scope. Set the token in an environment variable called GITHUB_AUTH_TOKEN, GITHUB_TOKEN, GH_AUTH_TOKEN or GH_TOKEN using the commands below according to your platform.

```shell

For posix platforms, e.g. linux, mac:

export GITHUB_AUTH_TOKEN=

Multiple tokens can be provided separated by comma to be utilized

in a round robin fashion.

export GITHUB_AUTH_TOKEN=,

For windows:

set GITHUB_AUTH_TOKEN= set GITHUB_AUTH_TOKEN=,<y

Extension points exported contracts — how you extend this code

RepoClient (Interface)
RepoClient interface is used by Scorecard checks to access a repo. [8 implementers]
clients/repo_client.go
Repo (Interface)
Repo interface uniquely identifies a repo. [6 implementers]
clients/repo.go
CIIBestPracticesClient (Interface)
CIIBestPracticesClient interface returns the BadgeLevel for a repo URL. [4 implementers]
clients/cii_client.go
TokenAccessor (Interface)
TokenAccessor interface defines a `retrieve-once` data structure. Implementations of this interface must be thread-safe. [4 …
clients/githubrepo/roundtripper/tokens/accessor.go
ProjectPackageClient (Interface)
This interface lets Scorecard look up package manager metadata for a project. [3 implementers]
internal/packageclient/depsdev.go
Doc (Interface)
Doc defines the documentation interface. [3 implementers]
docs/checks/doc.go
VulnerabilitiesClient (Interface)
VulnerabilitiesClient checks for vulnerabilities in vuln DB. [3 implementers]
clients/vulnerabilities.go
DetailLogger (Interface)
DetailLogger logs a CheckDetail struct. [2 implementers]
checker/detail_logger.go

Core symbols most depended-on inside this repo

Run
called by 376
cmd/internal/scdiff/app/generate.go
WithMessage
called by 293
finding/finding.go
Error
called by 207
checker/raw_result.go
EXPECT
called by 151
clients/mockclients/repo_client.go
Close
called by 139
clients/repo_client.go
InitRepo
called by 117
clients/repo_client.go
String
called by 103
clients/repo.go
NewWith
called by 99
finding/finding.go

Shape

Function 1,433
Method 739
Struct 433
FuncType 38
TypeAlias 34
Interface 22

Languages

Go100%

Modules by API surface

checks/raw/shell_download_validate.go58 symbols
pkg/scorecard/json_raw_results.go55 symbols
checker/raw_result.go54 symbols
clients/mockclients/repo_client.go52 symbols
pkg/scorecard/sarif.go49 symbols
clients/githubrepo/branches.go36 symbols
cron/config/config.go34 symbols
clients/githubrepo/client.go33 symbols
clients/ossfuzz/client.go32 symbols
checks/raw/pinned_dependencies_test.go32 symbols
clients/localdir/client.go31 symbols
clients/gitlabrepo/client.go29 symbols

Dependencies from manifests, versioned

4d63.com/gocheckcompilerdirectivesv1.3.0 · 1×
4d63.com/gochecknoglobalsv0.2.2 · 1×
al.essio.dev/pkg/shellescapev1.6.0 · 1×
bitbucket.org/creachadair/stringsetv0.0.14 · 1×
cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/authv0.18.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/bigqueryv1.73.1 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/containeranalysisv0.14.2 · 1×

For agents

$ claude mcp add scorecard \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact