Skip to main content

đź“© Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

search

Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard

By January 22, 2025Blog, Guest Blog
Accelerating OpenSSF Adoption: Unlocking Scorecard Insights with a Centralized Dashboard

By Tracy Ragan, DeployHub

Open source components are consumed by over 90% of modern applications. Their omnipresence stems from their cost-effectiveness, flexibility, and collaborative nature, making them a cornerstone of contemporary software development. However, this widespread use also makes it a critical weak link in software security. Many open source projects are maintained by small teams or individual contributors with limited resources, leaving them exposed to unpatched vulnerabilities, outdated dependencies, and supply chain attacks. Transparency about these challenges, paired with the proactive use of security tools, is essential for regaining trust in open source code/components.

The OpenSSF Scorecard, a vital initiative of the Open Source Security Foundation (OpenSSF), can help consumers gain a more comprehensive understanding of the source’s security posture for the software they deliver. However, without the adoption of OpenSSF Scorecard by open source projects, consumers are left unaware of the risk levels these packages pose. 

The Need for OpenSSF Scorecard

The OpenSSF Scorecard evaluates open source projects across critical security metrics, such as branch protection, dependency updates, and the use of fuzzing and static analysis tools. By assigning a score, it provides a quantifiable way to gauge a project’s adherence to security best practices. With software supply chain attacks on the rise, this tool is increasingly essential.

Current Adoption Trends

Despite its importance, the adoption of OpenSSF Scorecard across widely used OSS packages is still uneven. Large, well-funded projects—such as Kubernetes, Node.js, and Apache projects—often lead the way, integrating the Scorecard into their workflows to maintain high-security standards. Smaller projects, however, face challenges, including a lack of awareness, limited resources, and a perception that security tooling is complex or burdensome.

Platforms like GitHub have started to integrate Scorecard checks into workflows, making adoption easier. Such automation reduces friction and encourages maintainers to adopt security measures without overwhelming them.

The Need for an OpenSSF Centralized Dashboard

Although OpenSSF Scorecard results are available for many open source packages, there is a noticeable lack of consistent reporting and transparency. Only a small number of projects openly share their Scorecard results or document efforts to improve their scores. Public reporting is vital—it builds community trust, encourages collaboration, and motivates other projects to prioritize security.

Modern software solutions depend on hundreds of open source package dependencies. To accurately assess the security profile of an entire solution, it is essential to aggregate OpenSSF scores for all these dependencies at the “logical application” level. Evaluating only the security of closed-source components provides an incomplete picture and can create a false sense of security. Centralizing and sharing OpenSSF Scorecard results through a dedicated dashboard offers a practical way to achieve transparency and a holistic security evaluation.

Benefits of Scorecard Sharing

  1. Increased Trust: Sharing Scorecard results demonstrates a commitment to security, encouraging users and contributors to trust and engage with the project.
  2. Community Contributions: Reporting gaps or low scores can motivate contributors to step in and help improve security measures.
  3. Cross-Project Collaboration: Transparency allows maintainers of different projects to learn from each other’s successes and challenges.
  4. Transparency: Open source consumers can easily determine the risk of an open source dependency allowing them to make informed decisions. 

Driving Broader Adoption and Reporting

  1. Simplify Onboarding: Educational resources, workshops, and tutorials can help maintainers, especially in smaller projects, understand and adopt the Scorecard.
  2. Automation: Tools that seamlessly integrate Scorecard checks into CI/CD pipelines can reduce manual effort and ensure continuous monitoring.
  3. Incentivize Reporting: Highlighting projects with exemplary Scorecard reporting in conferences, blogs, and community forums can encourage others to follow suit.
  4. Platform Support: Collaboration with package managers like npm, PyPI, and Maven Central to showcase Scorecard results directly on their platforms can amplify visibility and drive adoption.

The Ortelius OpenSSF Dashboard

Ortelius, an open source vulnerability management platform under incubation at the Continuous Delivery Foundation, unveiled its OpenSSF Dashboard in December. This new feature consolidates OpenSSF Scorecard metrics at the “logical application” level, addressing the complexities of modern software architectures. Logical applications are built on hundreds of microservices and APIs, known as Components, which in turn depend on numerous open source packages. By aggregating dependency data across both Components and Applications, Ortelius provides a streamlined view of security metrics, specific to what the consumer is using. The Dashboard empowers end-users of open source with a detailed and cohesive perspective of Scorecard results across all dependencies within their logical applications.

Conclusion

The OpenSSF Scorecard is a critical tool in enhancing the security of open source ecosystems. By encouraging widespread adoption across common OSS packages and promoting transparent reporting, we can significantly improve the security posture of the software supply chain. Whether you’re a maintainer or an end-user, leveraging and advocating for the Scorecard fosters a safer and more reliable open source future. The Ortelius Dashboard plays a pivotal role in this effort, enabling seamless sharing of OSS package security metrics and commitments. Centralizing these insights gives consumers of open source code the visibility they need to make informed decisions to trust their dependencies.

Learn more about the OpenSSF Scorecard and the Ortelius OpenSSF Dashboard. Get started gathering OpenSSF Scorecard results using the open source Ortelius SaaS offering. 

About the Author

Tracy RaganTracy Ragan (CEO DeployHub, Community Manager Ortelius OS) is a recognized authority in software supply chain security and DevSecOps, with expertise in managing complex, decoupled architectures. She serves on the OpenSSF Governing Board as a General Member Representative and on the Technology Oversight Committee at the Continuous Delivery Foundation (CDF). Earlier in her career, she was a founding Board Member of the Eclipse Foundation, collaborating with IBM to foster its ecosystem.

Named one of TechBeacon’s Top 100 DevOps Visionaries, Tracy is a sought-after speaker at prominent industry events such as CDCon, Open Source Summit, and TechStrong TV. She hosts TechStrong Women TV, highlighting the accomplishments of women in technology, and frequently contributes to expert panels for organizations like JFrog, TechStrong, and the Linux Foundation. Her insights have been featured in various technical publications focusing on DevOps and open-source security. You can reach tracy on LinkedIn. 

 

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu