Scorecard assesses open source projects for security risks through a series of automated checksIt was created by OSS developers to help improve the health of critical projects that the community depends on.
You can use it to proactively assess and make informed decisions about accepting security risks within your codebase. You can also use the tool to evaluate other projects and dependencies, and work with maintainers to improve codebases you might want to integrate.

This project was initially called “Security Scorecards” but that form wasn’t used consistently. In particular, the repo was named “scorecard” and so was the program. Over time people started referring to either form (singular and plural), with or without “Security”, and the inconsistency became prevalent. To end this situation the decision was made to consolidate over the use of the singular form in keeping with the repo and program name, drop the “Security” part and use “OpenSSF” instead to ensure uniqueness. One should therefore refer to this project as “OpenSSF Scorecard” or “Scorecard” for short.

OpenSSF Scorecard is being developed and facilitated by contributors from across the OSS ecosystem.

We’re part of the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together OSS security initiatives under one foundation and seeks to improve the security of OSS by building a broader community, targeted initiatives, and best practises.

OpenSSF launched Scorecard in November 2020 with the intention of auto-generating a “security score” for open source projects to help users as they decide the trust, risk, and security posture for their use case.

Scorecard is part of the OpenSSF Best Practices Working Group.

If you want to get involved in the OpenSSF Scorecard community or have ideas you’d like to chat about, we’d love to connect.