<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

What is the OpenSSF Scorecard?

The OpenSSF Scorecard project was created by the Open Source Security Foundation (OpenSSF), a collaborative group of leaders in technology and cybersecurity looking to help secure the open source software supply chain. The aim of the scorecard project is to help open source maintainers improve their security best practices and to help open source consumers assess whether the packages they are using are safe. 

How the OpenSSF Scorecard works

The scorecard is an automated tool that assesses a number of important heuristics (“checks”) associated with software security and assigns each check a score of 0-10, as well as an overall top-level 0–10 score. The team behind the scorecard runs a regular analysis against millions of the most critical open source projects and publishes the resulting scores in a BigQuery public dataset.

What are the OpenSSF checks?

Scores are assigned based on defined software security checks and are under the following categories:

  • Holistic security practices
    • Code vulnerabilities
    • Maintenance
    • Continuous testing
  • Source risk assessment
  • Build risk assessment

Source: securityscorecards.dev

OpenSSF scorecard benefits

For maintainers

The OpenSSF provides an outline of security checks that help to better measure the security of your open source against industry-recommended security standards. Improving your OpenSSF scorecard score also signals to prospective users that your project is safe, resulting in more usage and downloads. 

Learn more about Tidelift’s partnership with maintainers and how a focused effort on scorecards increased overall maintainers’ scores by 57% in the Tidelift 2023 open source maintainer impact report.

For open source consumers

Using open source packages that have been evaluated and scored against the OpenSSF scorecard helps teams learn more about the quality of the open source in their packages and helps teams make better decisions about the open source in use at their organization. This proactive approach is a key step organizations can make towards open source vulnerability management

To learn more about the OpenSSF scorecard and how Tidelift partners with—and pays—open source maintainers to uphold a set of secure development practices that increase their scores on the OpenSSF Scorecard, follow this link to Tidelift’s OpenSSF scorecard documentation