The highest tagged major version is
README
¶
Security Scorecards
Overview
Using Scorecards
Checks
- Default Scorecards Checks
- Detailed Check Documentation (Scoring Criteria, Risks, and Remediation)
Contribute
- Code of Conduct
- Contribute to Scorecards
- Add a New Check
- Connect with the Scorecards Community
- Report a Security Issue
Overview
What is Scorecards?
We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe.
Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
The inspiration for Scorecards’ logo: "You passed! All D's ... and an A!"
Project Goals
-
Automate analysis and trust decisions on the security posture of open source projects.
-
Use this data to proactively improve the security posture of the critical projects the world depends on.
Prominent Scorecards Users
Scorecards has been run on thousands of projects to monitor and track security metrics. Prominent projects that use Scorecards include:
Using Scorecards
Prerequisites
Platforms: Currently, Scorecards supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome.
Language: You must have GoLang installed to run Scorecards (https://golang.org/doc/install)
Installation
To install Scorecards:
- Visit our latest release page and download the correct binary for your operating system
- Extract the binary file
- Add the binary to your
GOPATH/bindirectory (usego env GOPATHto identify your directory if necessary)
Authentication
Before running Scorecard, you need to either:
- create a GitHub access token
and set it in an environment variable called
GITHUB_AUTH_TOKEN,GITHUB_TOKEN,GH_AUTH_TOKENorGH_TOKEN. This helps to avoid the GitHub's api rate limits with unauthenticated requests.
# For posix platforms, e.g. linux, mac:
export GITHUB_AUTH_TOKEN=<your access token>
# Multiple tokens can be provided separated by comma to be utilized
# in a round robin fashion.
export GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>
# For windows:
set GITHUB_AUTH_TOKEN=<your access token>
set GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>
- create a GitHub App Installations for higher rate-limit quotas. If you have an installed GitHub App and key file, you can use the three environment variables below, following the commands shown above for your platform.
GITHUB_APP_KEY_PATH=<path to the key file on disk>
GITHUB_APP_INSTALLATION_ID=<installation id>
GITHUB_APP_ID=<app id>
These variables can be obtained from the GitHub developer settings page.
Basic Usage
Docker
scorecard is available as a Docker container:
The GITHUB_AUTH_TOKEN has to be set to a valid token
docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard
Using repository URL
Scorecards can run using just one argument, the URL of the target repo:
$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
Starting [CII-Best-Practices]
Starting [Fuzzing]
Starting [Pinned-Dependencies]
Starting [CI-Tests]
Starting [Maintained]
Starting [Packaging]
Starting [SAST]
Starting [Dependency-Update-Tool]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [Binary-Artifacts]
Starting [Branch-Protection]
Starting [Code-Review]
Starting [Contributors]
Starting [Vulnerabilities]
Finished [CI-Tests]
Finished [Maintained]
Finished [Packaging]
Finished [SAST]
Finished [Signed-Releases]
Finished [Binary-Artifacts]
Finished [Branch-Protection]
Finished [Code-Review]
Finished [Contributors]
Finished [Dependency-Update-Tool]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [Vulnerabilities]
Finished [CII-Best-Practices]
Finished [Fuzzing]
Finished [Pinned-Dependencies]
RESULTS
-------
Aggregate score: 7.9 / 10
Check scores:
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10 | Branch-Protection | branch protection is not | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ? | CI-Tests | no pull request found | github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no badge found | github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Code-Review | branch protection for default | github.com/ossf/scorecard/blob/main/docs/checks.md#code-review |
| | | branch is enabled | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Contributors | 0 different companies found -- | github.com/ossf/scorecard/blob/main/docs/checks.md#contributors |
| | | score normalized to 0 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed in | github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing |
| | | OSS-Fuzz | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 1 / 10 | Maintained | 2 commit(s) found in the last | github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
| | | 90 days -- score normalized to | |
| | | 1 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ? | Packaging | no published package detected | github.com/ossf/scorecard/blob/main/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 8 / 10 | Pinned-Dependencies | unpinned dependencies detected | github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |
| | | -- score normalized to 8 | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | SAST | no SAST tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#sast |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions | tokens are read-only in GitHub | github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions |
| | | workflows | |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
Scoring
Each individual check returns a score of 0 to 10, with 10 representing the best possible score. Scorecards also produces an aggregate score, which is a weight-based average of the individual checks weighted by risk.
- “Critical” risk checks are weighted at 10
- “High” risk checks are weighted at 7.5
- “Medium” risk checks are weighted at 5
- “Low” risk checks are weighted at 2.5
Note: there are currently no Scorecards checks rated as “Critical” risk.
Tests that are rated as “High” risk are:
- Maintained
- Dependency-Update-Tool
- Binary-Artifacts
- Branch-Protection
- Code-Review
- Signed-Releases
- Token-Permissions
- Vulnerabilities
Tests that are rated as “Medium” risk are:
- Fuzzing
- Packaging
- Pinned-Dependencies
- SAST
- Security-Policy
Tests that are rated as “Low” risk are:
- CI-Tests
- CII-Best-Practices
- Contributors
Showing Detailed Results
For more details about why a check fails, use the --show-details option:
./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details
Starting [Pinned-Dependencies]
Finished [Pinned-Dependencies]
RESULTS
-------
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10 | Branch-Protection | branch protection is not | Info: 'force pushes' disabled | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
| | | maximal on development and all | on branch 'main' Info: 'allow | |
| | | release branches | deletion' disabled on branch | |
| | | | 'main' Info: linear history | |
| | | | enabled on branch 'main' Info: | |
| | | | strict status check enabled | |
| | | | on branch 'main' Warn: status | |
| | | | checks for merging have no | |
| | | | specific status to check on | |
| | | | branch 'main' Info: number | |
| | | | of required reviewers is 2 | |
| | | | on branch 'main' Info: Stale | |
| | | | review dismissal enabled on | |
| | | | branch 'main' Info: Owner | |
| | | | review required on branch | |
| | | | 'main' Info: 'admininistrator' | |
| | | | PRs need reviews before being | |
| | | | merged on branch 'main' | |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
Using a Package manager
For projects in the --npm, --pypi, or --rubygems ecosystems, you have the option to run Scorecards using a package manager. Provide the package name to run the checks on the corresponding GitHub source code.
For example, --npm=angular.
Running specific checks
To run only specific check(s), add the --checks argument with a list of check
names.
For example, --checks=CI-Tests,Code-Review.
Formatting Results
There are three formats currently: default, json, and csv. Others may be
added in the future.
These may be specified with the --format flag. For example, --format=json.
Report Problems
If you have what looks like a bug, please use the Github issue tracking system. Before you file an issue, please search existing issues to see if your issue is already covered.
Public Data
If you're interested in seeing a list of projects with their Scorecard check results, we publish these results in a BigQuery public dataset.
This data is available in the public BigQuery dataset
openssf:scorecardcron.scorecard-v2. The latest results are available in the
BigQuery view openssf:scorecardcron.scorecard-v2_latest.
You can extract the latest results to Google Cloud storage in JSON format using
the bq tool:
# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
ORDER BY partition_id DESC
LIMIT 1'
# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename.json
The list of projects that are checked is available in the
cron/data/projects.csv
file in this repository. If you would like us to track more, please feel free to
send a Pull Request with others. Currently, this list is derived from projects hosted on GitHub
ONLY. We do plan to expand them in near future to account for projects hosted
on other source control systems.
NOTE: The public dataset uses a Pass/Fail scoring system with a confidence score between 0 and 10. A confidence of 0 indicates that the check was unable to achieve any real signal, and that the result should be ignored. A confidence of 10 indicates the check was completely sure of the result.
Checks
Scorecard Checks
The following checks are all run against the target project by default:
| Name | Description |
|---|---|
| Binary-Artifacts | Is the project free of checked-in binaries? |
| Branch-Protection | Does the project use Branch Protection ? |
| CI-Tests | Does the project run tests in CI, e.g. GitHub Actions, Prow? |
| CII-Best-Practices | Does the project have a CII Best Practices Badge? |
| Code-Review | Does the project require code review before code is merged? |
| Contributors | Does the project have contributors from at least two different organizations? |
| Dependency-Update-Tool | Does the project use tools to help update its dependencies? |
| Fuzzing | Does the project use fuzzing tools, e.g. OSS-Fuzz? |
| Maintained | Is the project maintained? |
| Pinned-Dependencies | Does the project declare and pin dependencies? |
| Packaging | Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? |
| SAST | Does the project use static code analysis tools, e.g. CodeQL, LGTM, SonarCloud? |
| Security-Policy | Does the project contain a security policy? |
| Signed-Releases | Does the project cryptographically sign releases? |
| Token-Permissions | Does the project declare GitHub workflow tokens as read only? |
| Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the OSV service. |
Detailed Checks Documentation
To see detailed information about each check, its scoring criteria, and remediation steps, check out the checks documentation page.
Contribute
Code of Conduct
Before contributing, please follow our Code of Conduct.
Contribute to Scorecards
See the Contributing documentation for guidance on how to contribute to the project.
Adding a Scorecard Check
If you'd like to add a check, please see guidance here.
Connect with the Scorecards Community
If you want to get involved in the Scorecards community or have ideas you'd like to chat about, we discuss this project in the OSSF Best Practices Working Group meetings.
| Artifact | Link |
|---|---|
| Scorecard Dev Forum | ossf-scorecard-dev@ |
| Scorecard Announcements Forum | ossf-scorecard-announce@ |
| Community Meeting VC | Link to z o o m meeting |
| Community Meeting Calendar | Biweekly mondays, 3:30pm-4:30pm PST Calendar |
| Meeting Notes | Notes |
| Slack Channel | #security_scorecards |
| Facilitators | Company | Profile | |
|---|---|---|---|
 |
Azeem Shaik | azeemshaikh38 | |
 |
Laurent Simon | laurentsimon | |
 |
Naveen Srinivasan | naveensrinivasan | |
 |
Chris McGehee | Datto | chrismcgehee |
Report a Security Issue
To report a security issue, please follow instructions here.
Documentation
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package checker includes structs and functions used for running a check.
|
Package checker includes structs and functions used for running a check. |
|
Package checks defines all Scorecard checks.
|
Package checks defines all Scorecard checks. |
|
Package clients defines the interface for RepoClient and related structs.
|
Package clients defines the interface for RepoClient and related structs. |
|
githubrepo
Package githubrepo implements clients.RepoClient for GitHub.
|
Package githubrepo implements clients.RepoClient for GitHub. |
|
githubrepo/roundtripper
Package roundtripper has implementations of http.RoundTripper useful to clients.RepoClient.
|
Package roundtripper has implementations of http.RoundTripper useful to clients.RepoClient. |
|
githubrepo/roundtripper/tokens
Package tokens defines interface to access GitHub PATs.
|
Package tokens defines interface to access GitHub PATs. |
|
githubrepo/roundtripper/tokens/server
Package main implements the GitHub token server.
|
Package main implements the GitHub token server. |
|
localdir
Package localdir implements RepoClient on local source code.
|
Package localdir implements RepoClient on local source code. |
|
mockclients
Package mockrepo is a generated GoMock package.
|
Package mockrepo is a generated GoMock package. |
|
Package cmd implements Scorecard commandline.
|
Package cmd implements Scorecard commandline. |
|
cron
|
|
|
bq
Package main implements the BQ transfer job.
|
Package main implements the BQ transfer job. |
|
cii
Package main implements the PubSub controller.
|
Package main implements the PubSub controller. |
|
config
Package config defines the configuration values for the cron job.
|
Package config defines the configuration values for the cron job. |
|
controller
Package main implements the PubSub controller.
|
Package main implements the PubSub controller. |
|
data
Package data contains util fns for reading and writing data handled by the cron job.
|
Package data contains util fns for reading and writing data handled by the cron job. |
|
data/add
Package main adds new project repositories to the projects file.
|
Package main adds new project repositories to the projects file. |
|
data/update
Package main updates projects repositories with a projects dependencies.
|
Package main updates projects repositories with a projects dependencies. |
|
data/validate
Package main validates an input file with a list of projects.
|
Package main validates an input file with a list of projects. |
|
monitoring
Package monitoring defines exporters to be used by opencensus package in the cron job.
|
Package monitoring defines exporters to be used by opencensus package in the cron job. |
|
pubsub
Package pubsub handles interactions with PubSub framework.
|
Package pubsub handles interactions with PubSub framework. |
|
shuffle
Package main implements the PubSub controller.
|
Package main implements the PubSub controller. |
|
webhook
Package main implements a Webhook which runs a bash script when called.
|
Package main implements a Webhook which runs a bash script when called. |
|
worker
Package main implements cron worker job.
|
Package main implements cron worker job. |
|
docs
|
|
|
checks
Package checks contains documentation about checks.
|
Package checks contains documentation about checks. |
|
checks/internal
Package internal contains internal functions for reading input YAML file.
|
Package internal contains internal functions for reading input YAML file. |
|
Package pkg defines fns for running Scorecard checks on a Repo.
|
Package pkg defines fns for running Scorecard checks on a Repo. |
|
Package stats defines opencensus monitoring stats exposed by Scorecard.
|
Package stats defines opencensus monitoring stats exposed by Scorecard. |
|
Package utests defines util fns for Scorecard unit testing.
|
Package utests defines util fns for Scorecard unit testing. |