Security Scorecards
What is Scorecards?
Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
Project Goals
- Automate analysis and trust decisions on the security posture of open source projects.
- Use this data to proactively improve the security posture of the critical projects the world depends on.
Scorecard Checks
| Name | Description | Risk Level |
|---|---|---|
| Binary Artifacts | Is the project free of checked-in binaries? | High |
| Branch Protection | Does the project use Branch Protection? | High |
| CI Tests | Does the project run tests in CI, e.g. GitHub Actions, Prow? | Low |
| CII Best Practices | Does the project have a CII Best Practices Badge? | Low |
| Code Review | Does the project require code review before code is merged? | High |
| Contributors | Does the project have contributors from at least two different organizations? | Low |
| Dangerous Workflow | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical |
| Dependency Update Tool | Does the project use tools to help update its dependencies? | High |
| Fuzzing | Does the project use fuzzing tools, e.g. OSS-Fuzz? | Medium |
| License | Does the project declare a license? | Low |
| Maintained | Is the project maintained? | High |
| Pinned Dependencies | Does the project declare and pin dependencies? | Medium |
| Packaging | Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing? | Medium |
| SAST | Does the project use static code analysis tools, e.g. CodeQL, LGTM, SonarCloud? | Medium |
| Security Policy | Does the project contain a security policy? | Medium |
| Signed Releases | Does the project cryptographically sign releases? | High |
| Token Permissions | Does the project declare GitHub workflow tokens as read only? | High |
| Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the OSV service. | High |