OpenSSF Scorecard 101

Ulises Gascón

Member of the Express Technical Committee (TC), TC39 Delegate, as well as a Node.js core collaborator and releaser

Ulises Gascón

Also Docker Captain, Microsoft Most Valuable Professional (MVP), and Google Developer Expert (GDE)

The Open Source Security Foundation (OpenSSF) is a community of software developers, security engineers, and more who are working together to secure open source software for the greater public good.

openSSF Structure

WGs, Projects, & SIGs

Landscape

Resources

OpenSSF Scorecard

Scorecard assesses open source projects for security risks through a series of automated checks

The target

The Scorecard evaluates the security of your project based on automated checks related to four scenarios:

Risk levels

Each automated check returns a score out of 10 and a risk level. The risk level adds a weighting to the score, and this weighting is compiled into a single, aggregate score. This score helps give a sense of the overall security posture of a project.

Risk levels

The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.

There are currently 18 checks made across 3 themes: holistic security practises, source code risk assessment and build process risk assessment.