
We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.
Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
The inspiration for Scorecard’s logo: "You passed! All D's ... and an A!"
Automate analysis and trust decisions on the security posture of open source projects.
Use this data to proactively improve the security posture of the critical projects the world depends on.
Act as a measurement tool for existing policies
If OSS consumers require certain behaviors from their dependencies,
Scorecard can be used to measure those. With the V5 release, we see
Structured Results as a way of doing this if there is a supported analysis.
Instead of relying on an aggregate score of X/10, or a Maintained score of
Y/10, an OSS consumer may want to ensure the repo they're depending on
isn't archived (which is covered by the archived probe). The OpenSSF
takes this approach with its own Security Baseline for projects.
To be a definitive report or requirement that all projects should follow.
Scorecard is not intended to be a one-size-fits-all solution. Every step of making our results is opinionated: what checks get included or excluded, the importance of each check, and how scores are calculated. The checks themselves are heuristics; there are false positives and false negatives.
Whether it’s due to applicability, or feasibility, or a matter of opinion, what's included or excluded from Scorecard results leads to a lot of discussion. It’s impossible to create a Scorecard that satisfies everyone because different audiences will care about different subsets of behavior.
Aggregate scores in particular tells you nothing about what individual behaviors a repository is or is not doing. Many check scores are aggregated into a single score, and there’s multiple ways of arriving at the same score. These scores change as we add new heuristics or refine the existing ones.
Scorecard has been run on thousands of projects to monitor and track security metrics. Prominent projects that use Scorecard include:
To see scores for projects regularly scanned by Scorecard, navigate to the webviewer. You can also replace the placeholder text (platform, user/org, and repository name) in the following template link to generate a custom Scorecard link for a repo:
https://scorecard.dev/viewer/?uri=<github_or_gitlab>.com/<user_name_or_org>/<repository_name>
For example: - https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard - https://scorecard.dev/viewer/?uri=gitlab.com/fdroid/fdroidclient
To view scores for projects not included in the webviewer, use the Scorecard CLI.
We run a weekly Scorecard scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a BigQuery public dataset.
This data is available in the public BigQuery dataset
openssf:scorecardcron.scorecard-v2. The latest results are available in the
BigQuery view openssf:scorecardcron.scorecard-v2_latest.
You can query the data using BigQuery Explorer by navigating to Add Data > Star a project by name > 'openssf'. For example, you may be interested in how a project's score has changed over time:
SELECT date, score FROM `openssf.scorecardcron.scorecard-v2` WHERE repo.name="github.com/ossf/scorecard" ORDER BY date ASC
You can extract the latest results to Google Cloud storage in JSON format using
the bq tool:
# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'
# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename-*.json
The list of projects that are checked is available in the
cron/internal/data/projects.csv
file in this repository. If you would like us to track more, please feel free to
send a Pull Request with others. Currently, this list is derived from projects
hosted on GitHub ONLY. We do plan to expand them in near future to account for
projects hosted on other source control systems.
The easiest way to use Scorecard on GitHub projects you own is with the Scorecard GitHub Action. The Action runs on any repository change and issues alerts that maintainers can view in the repository’s Security tab. For more information, see the Scorecard GitHub Action installation instructions.
To query pre-calculated scores of OSS projects, use the REST API.
Scores calculated from our weekly scan omit the CI-Tests,
Contributors, and Dependency-Update-Tool checks due to the API costs
associated with running them at scale.
API results are cached with a CDN (thanks to Fastly and their Fast Forward program). Results are purged from the CDN when new results are available, but if you notice issues with stale data, please open an issue.
To enable your project to be available on the REST API, set
publish_results: true
in the Scorecard GitHub Action setting.
Data provided by the REST API is licensed under the CDLA Permissive 2.0.
Enabling publish_results: true
in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their
hard work. This badge also auto-updates for every change made to the repository. See more details on this OSSF blogpost.
To include a badge on your project's repository, simply add the following markdown to your README:
[](https://scorecard.dev/viewer/?uri=github.com/{owner}/{repo})
To run a Scorecard scan on projects you do not own, use the command line interface installation option.
Platforms: Currently, Scorecard supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome.
Language: You must have GoLang installed to run Scorecard (https://golang.org/doc/install)
scorecard is available as a Docker container:
docker pull ghcr.io/ossf/scorecard:latest
To use a specific scorecard version (e.g., v3.2.1), run:
docker pull ghcr.io/ossf/scorecard:v3.2.1
To install Scorecard as a standalone:
Visit our latest release page and download the correct zip file for your operating system.
Add the binary to your GOPATH/bin directory (use go env GOPATH to identify your directory if necessary).
We generate SLSA3 signatures using the OpenSSF's slsa-framework/slsa-github-generator during the release process. To verify a release binary:
1. Install the verification tool from slsa-framework/slsa-verifier#installation.
2. Download the signature file attestation.intoto.jsonl from the GitHub releases page.
3. Run the verifier:
slsa-verifier -artifact-path <the-zip> -provenance attestation.intoto.jsonl -source github.com/ossf/scorecard -tag <the-tag>
| Package Manager | Supported Distribution | Command |
|---|---|---|
| Nix | NixOS | nix-shell -p nixpkgs.scorecard |
| AUR helper | Arch Linux | Use your AUR helper to install scorecard |
| Homebrew | macOS or Linux | brew install scorecard |
GitHub imposes api rate limits on unauthenticated requests. To avoid these limits, you must authenticate your requests before running Scorecard. There are two ways to authenticate your requests: either create a GitHub personal access token, or create a GitHub App Installation.
public_repo scope. Set the token in an environment variable called
GITHUB_AUTH_TOKEN, GITHUB_TOKEN, GH_AUTH_TOKEN or GH_TOKEN using the
commands below according to your platform.```shell
export GITHUB_AUTH_TOKEN=
export GITHUB_AUTH_TOKEN=,
set GITHUB_AUTH_TOKEN= set GITHUB_AUTH_TOKEN=,<y
$ claude mcp add scorecard \
-- python -m otcore.mcp_server <graph>