The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.
FOSS or OSS is software which source code anyone can inspect, modify, and enhance
Authors make its source code available to others who would like to view that code, copy it, learn from it, alter it, share it, and use it
As a user, you also need to comply with a License
Currently, between the
70-90% of any piece of modern software is FOSS
The goal is to auto-generate a Security Score for open source projects to help users to decide the trust, risk, and security posture for their use case.
The Scoredcard database is fulfilled in 2 ways:
- Proactively, the projects report to the scorecard the latest changes in the score (via GitHub actions, or CLI commands) in each commit or release
- The OpenSSF proactively runs a cron job towards highly use/very relevant open source projects, to retrieve all security related scores
The Scorecard evaluates the security of your project based on automated checks related to four scenarios:
Alongside the scores, the tool provides remediation prompts to help you fix problems and strengthen your development practices.
The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.
There are currently 18 checks made across 3 themes: holistic security practises, source code risk assessment and build process risk assessment.
Simplify OpenSSF Scorecard tracking with automated markdown and JSON reports, plus optional GitHub issue alerts
Scorecard API Visualizer
Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
Automatically apply security best practices in your GitHub repository
👉 PHP Stan
By Teba Gómez