OpenSSF Scorecard


The OpenSSF is a cross-industry organization that brings together the industry鈥檚 most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

FOSS or OSS is software which source code anyone can inspect, modify, and enhance


What is Open Source Software?

Authors make its source code available to others who would like to view that code, copy it, learn from it, alter it, share it, and use it

As a user, you also need to comply with a License


What is Open Source Software?

Currently, between the

70-90% of any piece of modern software is FOSS

OpenSSF Projects 馃挭


The goal is to auto-generate a Security Score for open source projects to help users to decide the trust, risk, and security posture for their use case.

The Scorecard

The Scoredcard database is fulfilled in 2 ways:

  1. Proactively, the projects report to the scorecard the latest changes in the score (via GitHub actions, or CLI commands) in each commit or release
  2. The OpenSSF proactively runs a cron job towards highly use/very relevant open source projects, to retrieve all security related scores

Data origin 馃敥

The Scorecard evaluates the security of your project based on automated checks related to four scenarios:

The Target

Alongside the scores, the tool provides remediation prompts to help you fix problems聽and strengthen your development practices.

The Scoring

The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.

There are currently 18 checks made across 3 themes: holistic security practises, source code risk assessment and build process risk assessment.

The checks


Holistic security practices

Holistic security practices

Holistic security practices

Source risk assessment

Build risk assessment


Scorecard Monitor

Simplify OpenSSF Scorecard tracking with automated markdown and JSON reports, plus optional GitHub issue alerts

馃憠 Link

Scorecard API Visualizer

Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
馃憠 Link

鈿掞笍 Toolbox

Use Case

Extra cool tool

Automatically apply security best practices in your GitHub repository

鈿掞笍 What about...?

馃憠 NodeJS

馃憠 React

馃憠 PHP Stan

馃憠 Kubernetes

馃憠 Python

馃憠 Symfony

Are my depencencies healthy?


Some cool resources 馃


Thank U!

OpenSSF Scorecard

By Teba G贸mez

OpenSSF Scorecard

Let's talk about the Open Source Security Foundation, the security standards for Open Source software they have stablished and how they foster security awareness through the Scorecard project. And also some cool tools in the ecosystem, including two of my OpenSSF scorecard projects.

  • 63