{"id":13461464,"url":"https://github.com/ossf/scorecard","last_synced_at":"2025-05-12T11:16:22.501Z","repository":{"id":37099296,"uuid":"302670797","full_name":"ossf/scorecard","owner":"ossf","description":"OpenSSF Scorecard - Security health metrics for Open Source","archived":false,"fork":false,"pushed_at":"2025-05-12T08:39:03.000Z","size":268727,"stargazers_count":4883,"open_issues_count":360,"forks_count":535,"subscribers_count":73,"default_branch":"main","last_synced_at":"2025-05-12T11:16:11.343Z","etag":null,"topics":["openssf-scorecard","scorecard"],"latest_commit_sha":null,"homepage":"https://scorecard.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":"governance/meetings/2021.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-09T14:48:27.000Z","updated_at":"2025-05-12T05:35:14.000Z","dependencies_parsed_at":"2024-01-22T16:42:17.676Z","dependency_job_id":"2e22154d-5ce7-4557-8f46-aaf4f7d662f4","html_url":"https://github.com/ossf/scorecard","commit_stats":{"total_commits":2578,"total_committers":159,"mean_commits":16.21383647798742,"dds":0.6574864235841738,"last_synced_commit":"bf4002489aa4797e16989242dd802ae79fb8321b"},"previous_names":[],"tags_count":44,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fscorecard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fscorecard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fscorecard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fscorecard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/scorecard/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253726901,"owners_count":21954095,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["openssf-scorecard","scorecard"],"created_at":"2024-07-31T11:00:39.476Z","updated_at":"2025-05-12T11:16:22.404Z","avatar_url":"https://github.com/ossf.png","language":"Go","readme":"# OpenSSF Scorecard\n\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ossf/scorecard/badge)](https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/5621/badge)](https://www.bestpractices.dev/projects/5621)\n[![build](https://github.com/ossf/scorecard/actions/workflows/main.yml/badge.svg)](https://github.com/ossf/scorecard/actions/workflows/main.yml)\n[![CodeQL](https://github.com/ossf/scorecard/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/ossf/scorecard/actions/workflows/codeql-analysis.yml)\n[![Go Reference](https://pkg.go.dev/badge/github.com/ossf/scorecard/v4.svg)](https://pkg.go.dev/github.com/ossf/scorecard/v4)\n[![Go Report Card](https://goreportcard.com/badge/github.com/ossf/scorecard/v4)](https://goreportcard.com/report/github.com/ossf/scorecard/v4)\n[![codecov](https://codecov.io/gh/ossf/scorecard/branch/main/graph/badge.svg?token=PMJ6NAN9J3)](https://codecov.io/gh/ossf/scorecard)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![Slack](https://img.shields.io/badge/slack-openssf/scorecard-white.svg?logo=slack)](https://slack.openssf.org/#scorecard)\n\n\u003cimg align=\"right\" src=\"artwork/openssf_security_compressed.png\" width=\"200\" height=\"400\"\u003e\n\n## Overview\n\n- [What Is Scorecard?](#what-is-scorecard)\n- [Prominent Scorecard Users](#prominent-scorecard-users)\n- [View a Project's Score](#view-a-projects-score)\n- [Scorecard's Public Data](#public-data)\n\n## Using Scorecard\n\n- [Scorecard GitHub Action](#scorecard-github-action)\n- [Scorecard REST API](#scorecard-rest-api)\n- [Scorecard Badges](#scorecard-badges)\n- [Scorecard Command Line Interface](#scorecard-command-line-interface)\n - [Prerequisites](#prerequisites)\n - [Installation](#installation)\n - [Authentication](#authentication)\n - [Basic Usage](#basic-usage)\n\n## Checks\n\n- [Default Scorecard Checks](#scorecard-checks)\n- [Detailed Check Documentation](docs/checks.md) (Scoring Criteria, Risks, and\n Remediation)\n- [Beginner's Guide to Scorecard Checks](#beginners-guide-to-scorecard-checks)\n\n## Other Important Recommendations\n- [Two-factor Authentication (2FA)](#two-factor-authentication-2fa)\n\n## Scoring\n- [Aggregate Score](#aggregate-score)\n\n## Contribute\n\n- [Report Problems](#report-problems)\n- [Code of Conduct](CODE_OF_CONDUCT.md)\n- [Contribute to Scorecard ](CONTRIBUTING.md)\n- [Add a New Check](checks/write.md)\n- [Connect with the Scorecard Community](#connect-with-the-scorecard-community)\n- [Report a Security Issue](SECURITY.md)\n\n## FAQ\n\n- [FAQ](docs/faq.md)\n\n## Overview\n\n### What is Scorecard?\nWe created Scorecard to help open source maintainers improve their security\nbest practices and to help open source consumers judge whether their dependencies\nare safe.\n\nScorecard is an automated tool that assesses a number of important heuristics\n[(\"checks\")](#scorecard-checks) associated with software security and assigns\neach check a score of 0-10. You can use these scores to understand specific\nareas to improve in order to strengthen the security posture of your project.\nYou can also assess the risks that dependencies introduce, and make informed\ndecisions about accepting these risks, evaluating alternative solutions, or\nworking with the maintainers to make improvements.\n\nThe inspiration for Scorecard’s logo:\n[\"You passed! All D's ... and an A!\"](https://youtu.be/rDMMYT3vkTk)\n\n#### Project Goals\n\n1. Automate analysis and trust decisions on the security posture of open source\n projects.\n\n1. Use this data to proactively improve the security posture of the critical\n projects the world depends on.\n\n1. Act as a measurement tool for existing policies\n\n If OSS consumers require certain behaviors from their dependencies,\n Scorecard can be used to measure those. With the V5 release, we see\n Structured Results as a way of doing this if there is a supported analysis.\n Instead of relying on an aggregate score of X/10, or a Maintained score of\n Y/10, an OSS consumer may want to ensure the repo they're depending on\n isn't archived (which is covered by the `archived` probe). The OpenSSF\n takes this approach with its own Security Baseline for projects.\n\n#### Project Non-Goals\n\n1. To be a definitive report or requirement that all projects should follow.\n\n Scorecard is not intended to be a one-size-fits-all solution. Every step of\n making our results is opinionated: what checks get included or excluded,\n the importance of each check, and how scores are calculated. The checks\n themselves are heuristics; there are false positives and false negatives.\n\n Whether it’s due to applicability, or feasibility, or a matter of opinion,\n what's included or excluded from Scorecard results leads to a lot of\n discussion. It’s impossible to create a Scorecard that satisfies everyone\n because different audiences will care about different subsets of behavior.\n\n Aggregate scores in particular tells you nothing about what individual\n behaviors a repository is or is not doing. Many check scores are aggregated\n into a single score, and there’s multiple ways of arriving at the same\n score. These scores change as we add new heuristics or refine the existing\n ones.\n\n### Prominent Scorecard Users\n\nScorecard has been run on thousands of projects to monitor and track security\nmetrics. Prominent projects that use Scorecard include:\n\n- [Tensorflow](https://github.com/tensorflow/tensorflow)\n- [Angular](https://github.com/angular/angular)\n- [Flutter](https://github.com/flutter/flutter)\n- [sos.dev](https://sos.dev)\n- [deps.dev](https://deps.dev)\n\n### View a Project's Score\n\nTo see scores for projects regularly scanned by Scorecard, navigate to the [webviewer](https://scorecard.dev/viewer/?uri=). You can also replace the placeholder text (platform, user/org, and repository name) in the following template link to generate a custom Scorecard link for a repo:\n`https://scorecard.dev/viewer/?uri=\u003cgithub_or_gitlab\u003e.com/\u003cuser_name_or_org\u003e/\u003crepository_name\u003e`\n\nFor example:\n - [https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard](https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard)\n - [https://scorecard.dev/viewer/?uri=gitlab.com/fdroid/fdroidclient](https://scorecard.dev/viewer/?uri=gitlab.com/fdroid/fdroidclient)\n\nTo view scores for projects not included in the webviewer, use the [Scorecard CLI](#scorecard-command-line-interface).\n\n### Public Data\n\nWe run a weekly Scorecard scan of the 1 million most critical open source\nprojects judged by their direct dependencies and publish the results in a\n[BigQuery public dataset](https://cloud.google.com/bigquery/public-data).\n\nThis data is available in the public BigQuery dataset\n`openssf:scorecardcron.scorecard-v2`. The latest results are available in the\nBigQuery view `openssf:scorecardcron.scorecard-v2_latest`.\n\nYou can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data \u003e Star a project by name \u003e 'openssf'.\nFor example, you may be interested in how a project's score has changed over time:\n\n```sql\nSELECT date, score FROM `openssf.scorecardcron.scorecard-v2` WHERE repo.name=\"github.com/ossf/scorecard\" ORDER BY date ASC\n```\n\nYou can extract the latest results to Google Cloud storage in JSON format using\nthe [`bq`](https://cloud.google.com/bigquery/docs/bq-command-line-tool) tool:\n\n```\n# Get the latest PARTITION_ID\nbq query --nouse_legacy_sql 'SELECT partition_id FROM\nopenssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name=\"scorecard-v2\"\nAND partition_id!=\"__NULL__\" ORDER BY partition_id DESC\nLIMIT 1'\n\n# Extract to GCS\nbq extract --destination_format=NEWLINE_DELIMITED_JSON\n'openssf:scorecardcron.scorecard-v2$\u003cpartition_id\u003e' gs://bucket-name/filename-*.json\n\n```\n\nThe list of projects that are checked is available in the\n[`cron/internal/data/projects.csv`](https://github.com/ossf/scorecard/blob/main/cron/internal/data/projects.csv)\nfile in this repository. If you would like us to track more, please feel free to\nsend a Pull Request with others. Currently, this list is derived from **projects\nhosted on GitHub ONLY**. We do plan to expand them in near future to account for\nprojects hosted on other source control systems.\n\n## Using Scorecard\n\n### Scorecard GitHub Action\n\nThe easiest way to use Scorecard on GitHub projects you own is with the\n[Scorecard GitHub Action](https://github.com/ossf/scorecard-action). The Action\nruns on any repository change and issues alerts that maintainers can view in the\nrepository’s Security tab. For more information, see the Scorecard GitHub\nAction\n[installation instructions](https://github.com/ossf/scorecard-action#installation).\n\n### Scorecard REST API\n\nTo query pre-calculated scores of OSS projects, use the [REST API](https://api.scorecard.dev).\n\nTo enable your project to be available on the REST API, set\n[`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35)\nin the Scorecard GitHub Action setting.\n\nData provided by the REST API is licensed under the [CDLA Permissive 2.0](https://cdla.dev/permissive-2-0).\n\n### Scorecard Badges\n\nEnabling [`publish_results: true`](https://github.com/ossf/scorecard-action/blob/dd5015aaf9688596b0e6d11e7f24fff566aa366b/action.yaml#L35)\nin Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their\nhard work. This badge also auto-updates for every change made to the repository. See more details on [this OSSF blogpost](https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges/).\n\nTo include a badge on your project's repository, simply add the following markdown to your README:\n\n```\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/{owner}/{repo}/badge)](https://scorecard.dev/viewer/?uri=github.com/{owner}/{repo})\n```\n\n### Scorecard Command Line Interface\n\nTo run a Scorecard scan on projects you do not own, use the command line\ninterface installation option.\n\n#### Prerequisites\n\nPlatforms: Currently, Scorecard supports OSX and Linux platforms. If you are\nusing a Windows OS you may experience issues. Contributions towards supporting\nWindows are welcome.\n\nLanguage: You must have GoLang installed to run Scorecard\n(https://golang.org/doc/install)\n\n#### Installation\n\n##### Docker\n\n`scorecard` is available as a Docker container:\n\n```shell\ndocker pull gcr.io/openssf/scorecard:stable\n```\n\nTo use a specific scorecard version (e.g., v3.2.1), run:\n\n```shell\ndocker pull gcr.io/openssf/scorecard:v3.2.1\n```\n\n##### Standalone\n\nTo install Scorecard as a standalone:\n\nVisit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and\ndownload the correct zip file for your operating system.\n\nAdd the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify your directory if necessary).\n\n###### Verifying SLSA provenance for downloaded releases\n\nWe generate [SLSA3 signatures](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:\n1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).\n2. Download the signature file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/GoogleContainerTools/jib/releases/latest).\n3. Run the verifier:\n\n```shell\nslsa-verifier -artifact-path \u003cthe-zip\u003e -provenance attestation.intoto.jsonl -source github.com/ossf/scorecard -tag \u003cthe-tag\u003e\n```\n\n##### Using package managers\n\nPackage Manager | Supported Distribution | Command\n---------------------------------------------------------- | ---------------------- | -------\nNix | NixOS | `nix-shell -p nixpkgs.scorecard`\n[AUR helper](https://wiki.archlinux.org/title/AUR_helpers) | Arch Linux | Use your AUR helper to install `scorecard`\n[Homebrew](https://brew.sh/) | macOS or Linux | `brew install scorecard`\n\n#### Authentication\n\nGitHub imposes [api rate limits](https://developer.github.com/v3/#rate-limiting)\non unauthenticated requests. To avoid these limits, you must authenticate your\nrequests before running Scorecard. There are two ways to authenticate your\nrequests: either create a GitHub personal access token, or create a GitHub App\nInstallation.\n\n- [Create a classic GitHub personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-personal-access-token-classic).\n When creating the personal access token, we suggest you choose the\n `public_repo` scope. Set the token in an environment variable called\n `GITHUB_AUTH_TOKEN`, `GITHUB_TOKEN`, `GH_AUTH_TOKEN` or `GH_TOKEN` using the\n commands below according to your platform.\n\n```shell\n# For posix platforms, e.g. linux, mac:\nexport GITHUB_AUTH_TOKEN=\u003cyour access token\u003e\n# Multiple tokens can be provided separated by comma to be utilized\n# in a round robin fashion.\nexport GITHUB_AUTH_TOKEN=\u003cyour access token1\u003e,\u003cyour access token2\u003e\n\n# For windows:\nset GITHUB_AUTH_TOKEN=\u003cyour access token\u003e\nset GITHUB_AUTH_TOKEN=\u003cyour access token1\u003e,\u003cyour access token2\u003e\n```\n\nOR\n\n- [Create a GitHub App Installation](https://docs.github.com/en/developers/apps/building-github-apps/creating-a-github-app)\n for higher rate-limit quotas. If you have an installed GitHub App and key\n file, you can use the three environment variables below, following the\n commands (`set` or `export`) shown above for your platform.\n\n```\nGITHUB_APP_KEY_PATH=\u003cpath to the key file on disk\u003e\nGITHUB_APP_INSTALLATION_ID=\u003cinstallation id\u003e\nGITHUB_APP_ID=\u003capp id\u003e\n```\n\nThese variables can be obtained from the GitHub\n[developer settings](https://github.com/settings/apps) page.\n\n#### Basic Usage\n\n##### Using repository URL\n\nScorecard can run using just one argument, the URL of the target repo:\n\n```shell\n$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e\nStarting [CII-Best-Practices]\nStarting [Fuzzing]\nStarting [Pinned-Dependencies]\nStarting [CI-Tests]\nStarting [Maintained]\nStarting [Packaging]\nStarting [SAST]\nStarting [Dependency-Update-Tool]\nStarting [Token-Permissions]\nStarting [Security-Policy]\nStarting [Signed-Releases]\nStarting [Binary-Artifacts]\nStarting [Branch-Protection]\nStarting [Code-Review]\nStarting [Contributors]\nStarting [Vulnerabilities]\nFinished [CI-Tests]\nFinished [Maintained]\nFinished [Packaging]\nFinished [SAST]\nFinished [Signed-Releases]\nFinished [Binary-Artifacts]\nFinished [Branch-Protection]\nFinished [Code-Review]\nFinished [Contributors]\nFinished [Dependency-Update-Tool]\nFinished [Token-Permissions]\nFinished [Security-Policy]\nFinished [Vulnerabilities]\nFinished [CII-Best-Practices]\nFinished [Fuzzing]\nFinished [Pinned-Dependencies]\n\nRESULTS\n-------\nAggregate score: 7.9 / 10\n\nCheck scores:\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 10 / 10 | Binary-Artifacts | no binaries found in the repo | github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 9 / 10 | Branch-Protection | branch protection is not | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |\n| | | maximal on development and all | |\n| | | release branches | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| ? | CI-Tests | no pull request found | github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 0 / 10 | CII-Best-Practices | no badge found | github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 10 / 10 | Code-Review | branch protection for default | github.com/ossf/scorecard/blob/main/docs/checks.md#code-review |\n| | | branch is enabled | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 0 / 10 | Contributors | 0 different companies found -- | github.com/ossf/scorecard/blob/main/docs/checks.md#contributors |\n| | | score normalized to 0 | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 0 / 10 | Dependency-Update-Tool | no update tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 0 / 10 | Fuzzing | project is not fuzzed in | github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing |\n| | | OSS-Fuzz | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 1 / 10 | Maintained | 2 commit(s) found in the last | github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |\n| | | 90 days -- score normalized to | |\n| | | 1 | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| ? | Packaging | no published package detected | github.com/ossf/scorecard/blob/main/docs/checks.md#packaging |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 8 / 10 | Pinned-Dependencies | unpinned dependencies detected | github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies |\n| | | -- score normalized to 8 | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 0 / 10 | SAST | no SAST tool detected | github.com/ossf/scorecard/blob/main/docs/checks.md#sast |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 0 / 10 | Security-Policy | security policy file not | github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy |\n| | | detected | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| ? | Signed-Releases | no releases found | github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 10 / 10 | Token-Permissions | tokens are read-only in GitHub | github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions |\n| | | workflows | |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 10 / 10 | Vulnerabilities | no vulnerabilities detected | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |\n|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|\n```\n\n###### Docker\n\nThe `GITHUB_AUTH_TOKEN` has to be set to a valid [token](#Authentication)\n\n```shell\ndocker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard\n```\n\nTo use a specific scorecard version (e.g., v3.2.1), run:\n\n```shell\ndocker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard\n```\n\n##### Showing Detailed Results\n\nFor more details about why a check fails, use the `--show-details` option:\n\n```\n./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details\nStarting [Pinned-Dependencies]\nFinished [Pinned-Dependencies]\n\nRESULTS\n-------\n|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|\n| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |\n|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|\n| 9 / 10 | Branch-Protection | branch protection is not | Info: 'force pushes' disabled | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |\n| | | maximal on development and all | on branch 'main' Info: 'allow | |\n| | | release branches | deletion' disabled on branch | |\n| | | | 'main' Info: linear history | |\n| | | | enabled on branch 'main' Info: | |\n| | | | strict status check enabled | |\n| | | | on branch 'main' Warn: status | |\n| | | | checks for merging have no | |\n| | | | specific status to check on | |\n| | | | branch 'main' Info: number | |\n| | | | of required reviewers is 2 | |\n| | | | on branch 'main' Info: Stale | |\n| | | | review dismissal enabled on | |\n| | | | branch 'main' Info: Owner | |\n| | | | review required on branch | |\n| | | | 'main' Info: 'administrator' | |\n| | | | PRs need reviews before being | |\n| | | | merged on branch 'main' | |\n|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|\n```\n\n##### Showing Maintainers Annotations\n\n**Maintainer Annotations** let maintainers add context to display alongside Scorecard check results. Annotations can provide users additional information when Scorecard has an incomplete assessment of a project's security practices. To see the maintainers annotations for each check, use the `--show-annotations` option.\n\nFor more information on available annotations or how to make annotations, see [the configuration doc](config/README.md).\n\n##### Using a GitLab Repository\n\nTo run Scorecard on a GitLab repository, you must create a [GitLab Access Token](https://gitlab.com/-/profile/personal_access_tokens) with the following permissions:\n\n- `read_api`\n- `read_user`\n- `read_repository`\n\nYou can run Scorecard on a GitLab repository by setting the `GITLAB_AUTH_TOKEN` environment variable:\n\n```bash\nexport GITLAB_AUTH_TOKEN=glpat-xxxx\n\nscorecard --repo gitlab.com/\u003corg\u003e/\u003cproject\u003e/\u003csubproject\u003e\n```\n\nFor an example of using Scorecard in GitLab CI/CD, see [here](https://gitlab.com/ossf-test/scorecard-pipeline-example).\n\n###### Self Hosted Editions\nWhile we focus on GitLab.com support, Scorecard also works with self-hosted GitLab installations.\nIf your platform is hosted at a subdomain (e.g. `gitlab.foo.com`), Scorecard should work out of the box.\nIf your platform is hosted at some slug (e.g. `foo.com/bar/`), you will need to set the `GL_HOST` environment variable.\n\n```bash\nexport GITLAB_AUTH_TOKEN=glpat-xxxx\nexport GL_HOST=foo.com/bar\nscorecard --repo foo.com/bar/\u003corg\u003e/\u003cproject\u003e\n```\n\n##### Using GitHub Enterprise Server (GHES) based Repository\n\nTo use a GitHub Enterprise host `github.corp.com`, use the `GH_HOST` environment variable.\n\n```shell\n# Set the GitHub Enterprise host without https prefix or slash with relevant authentication token\nexport GH_HOST=github.corp.com\nexport GITHUB_AUTH_TOKEN=token\n\nscorecard --repo=github.corp.com/org/repo\n# OR without github host url\nscorecard --repo=org/repo\n```\n\n##### Using a Package manager\n\nFor projects in the `--npm`, `--pypi`, `--rubygems`, or `--nuget` ecosystems, you have the\noption to run Scorecard using a package manager. Provide the package name to\nrun the checks on the corresponding GitHub source code.\n\nFor example, `--npm=angular`.\n\n##### Running specific checks\n\nTo run only specific check(s), add the `--checks` argument with a list of check\nnames.\n\nFor example, `--checks=CI-Tests,Code-Review`.\n\n##### Formatting Results\n\nThe currently supported formats are `default` (text) and `json`.\n\nThese may be specified with the `--format` flag. For example, `--format=json`.\n\n\n\n## Checks\n\n### Scorecard Checks\n\nThe following checks are all run against the target project by default:\n\nName | Description | Risk Level | Token Required | GitLab Support | Note\n----------- | ----------------------------------------- | ---------- | --------------- | -------------- | --- |\n[Binary-Artifacts](docs/checks.md#binary-artifacts) | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported |\n[Branch-Protection](docs/checks.md#branch-protection) | Does the project use [Branch Protection](https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/about-protected-branches) ? | High | PAT (`repo` or `repo\u003e public_repo`), GITHUB_TOKEN | Supported (see notes) | certain settings are only supported with a maintainer PAT\n[CI-Tests](docs/checks.md#ci-tests) | Does the project run tests in CI, e.g. [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions), [Prow](https://github.com/kubernetes/test-infra/tree/master/prow)? | Low | PAT, GITHUB_TOKEN | Supported\n[CII-Best-Practices](docs/checks.md#cii-best-practices) | Has the project earned an [OpenSSF (formerly CII) Best Practices Badge](https://www.bestpractices.dev) at the passing, silver, or gold level? | Low | PAT, GITHUB_TOKEN | Validating |\n[Code-Review](docs/checks.md#code-review) | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating |\n[Contributors](docs/checks.md#contributors) | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating |\n[Dangerous-Workflow](docs/checks.md#dangerous-workflow) | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported |\n[Dependency-Update-Tool](docs/checks.md#dependency-update-tool) | Does the project use tools to help update its dependencies? | High | PAT, GITHUB_TOKEN | Unsupported |\n[Fuzzing](docs/checks.md#fuzzing) | Does the project use fuzzing tools, e.g. [OSS-Fuzz](https://github.com/google/oss-fuzz), [QuickCheck](https://hackage.haskell.org/package/QuickCheck) or [fast-check](https://fast-check.dev/)? | Medium | PAT, GITHUB_TOKEN | Validating\n[License](docs/checks.md#license) | Does the project declare a license? | Low | PAT, GITHUB_TOKEN | Validating |\n[Maintained](docs/checks.md#maintained) | Is the project at least 90 days old, and maintained? | High | PAT, GITHUB_TOKEN | Validating |\n[Pinned-Dependencies](docs/checks.md#pinned-dependencies) | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)? | Medium | PAT, GITHUB_TOKEN | Validating |\n[Packaging](docs/checks.md#packaging) | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ? | Medium | PAT, GITHUB_TOKEN | Validating |\n[SAST](docs/checks.md#sast) | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM (deprecated)](https://lgtm.com), [SonarCloud](https://sonarcloud.io)? | Medium | PAT, GITHUB_TOKEN | Unsupported |\n[Security-Policy](docs/checks.md#security-policy) | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)? | Medium | PAT, GITHUB_TOKEN | Validating |\n[Signed-Releases](docs/checks.md#signed-releases) | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)? | High | PAT, GITHUB_TOKEN | Validating |\n[Token-Permissions](docs/checks.md#token-permissions) | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)? | High | PAT, GITHUB_TOKEN | Unsupported |\n[Vulnerabilities](docs/checks.md#vulnerabilities) | Does the project have unfixed vulnerabilities? Uses the [OSV service](https://osv.dev). | High | PAT, GITHUB_TOKEN | Validating |\n[Webhooks](docs/checks.md#webhooks) | Does the webhook defined in the repository have a token configured to authenticate the origins of requests? | Critical | maintainer PAT (`admin: repo_hook` or `admin\u003e read:repo_hook` [doc](https://docs.github.com/en/rest/webhooks/repo-config#get-a-webhook-configuration-for-a-repository) | | EXPERIMENTAL\n\n### Detailed Checks Documentation\n\nTo see detailed information about each check, its scoring criteria, and\nremediation steps, check out the [checks documentation page](docs/checks.md).\n\n### Beginner's Guide to Scorecard Checks\n\nFor a guide to the checks you should use when getting started, see the [beginner's guide to scorecard checks](docs/beginner-checks.md).\n\n## Other Important Recommendations\n\n### Two-factor Authentication (2FA)\n\n[Two-factor Authentication (2FA)](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-two-factor-authentication) adds an extra layer of security when logging into websites or apps. 2FA protects your account if your password is compromised by requiring a second form of authentication, such as codes sent via SMS or authentication app, or touching a physical security key.\n\nWe strongly recommend that you enable 2FA on any important accounts where it is available. 2FA is not a Scorecard check because GitHub and GitLab do not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.\n\nThough it is not an official check, we urge all project maintainers to enable 2FA to protect their projects from compromise.\n\n#### Enabling 2FA\n\n##### For users\n\nFollow the steps described at [Configuring two-factor authentication](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)\n\nIf possible, use either:\n\n- physical security key (preferred), such as Titan or Yubikey\n- recovery codes, stored in an access protected and encrypted vault\n\nAs a last option, use SMS. Beware: 2FA using SMS is vulnerable to [SIM swap attack](https://en.wikipedia.org/wiki/SIM_swap_scam).\n\n##### For an organization\n\n1. [Prepare to require 2FA in your organization](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/preparing-to-require-two-factor-authentication-in-your-organization)\n2. [Require 2FA in your organization](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization)\n\n## Scoring\n\n### Aggregate Score\nEach individual check returns a score of 0 to 10, with 10 representing the best\npossible score. Scorecard also produces an aggregate score, which is a\nweight-based average of the individual checks weighted by risk.\n\n* “Critical” risk checks are weighted at 10\n* “High” risk checks are weighted at 7.5\n* “Medium” risk checks are weighted at 5\n* “Low” risk checks are weighted at 2.5\n\nSee the [list of current Scorecard checks](#scorecard-checks) for each check's\nrisk level.\n\n## Contribute\n\n### Report Problems\n\nIf you have what looks like a bug, please use the\n[GitHub issue tracking system.](https://github.com/ossf/scorecard/issues) Before\nyou file an issue, please search existing issues to see if your issue is already\ncovered.\n\n### Contribute to Scorecard\n\nBefore contributing, please follow our [Code of Conduct](CODE_OF_CONDUCT.md).\n\nSee the [Contributing](CONTRIBUTING.md) documentation for guidance on how to\ncontribute to the project.\n\n### Adding a Scorecard Check\n\nIf you'd like to add a check, please see guidance [here](checks/write.md).\n\n### Connect with the Scorecard Community\n\nIf you want to get involved in the Scorecard community or have ideas you'd like\nto chat about, we discuss this project in the\n[OSSF Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers)\nmeetings.\n\nArtifact | Link\n----------------------------- | ----\nScorecard Dev Forum | [ossf-scorecard-dev@](https://groups.google.com/g/ossf-scorecard-dev)\nScorecard Announcements Forum | [ossf-scorecard-announce@](https://groups.google.com/g/ossf-scorecard-announce)\nCommunity Meeting VC | [Link to z o o m meeting](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54)\nCommunity Meeting Calendar | **_APAC-friendly_** Biweekly on Thursdays at 1:00-2:00 PM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600\u0026wkst=1\u0026bgcolor=%238E24AA\u0026showTitle=1\u0026mode=WEEK\u0026showCalendars=0\u0026showTabs=1\u0026showPrint=0\u0026title=OpenSSF+Community+Calendar\u0026src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ\u0026color=%238E24AA)) \u003cbr\u003eVideo Call: [LFX Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54) \u003cbr\u003e **_EMEA-friendly_** Every 4 Mondays at 7:00-8:00 AM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600\u0026wkst=1\u0026bgcolor=%238E24AA\u0026showTitle=1\u0026mode=WEEK\u0026showCalendars=0\u0026showTabs=1\u0026showPrint=0\u0026title=OpenSSF+Community+Calendar\u0026src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ\u0026color=%238E24AA)) \u003cbr\u003e Video Call: [LFX Zoom](https://zoom-lfx.platform.linuxfoundation.org/meeting/93377638314?password=d53af562-d908-4100-8ae1-52686756cc5d)\nMeeting Notes | [Notes](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing)\nSlack Channel | [#scorecard](https://slack.openssf.org/#scorecard)\n\n__Maintainers__ are listed in the [CODEOWNERS file](.github/CODEOWNERS).\n\n### Report a Security Issue\n\nTo report a security issue, please follow instructions [here](SECURITY.md).\n\n### Join the Scorecard Project Meeting\n\n#### Zoom\n\n**_APAC-friendly_** Biweekly on Thursdays at 1:00-2:00 PM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600\u0026wkst=1\u0026bgcolor=%238E24AA\u0026showTitle=1\u0026mode=WEEK\u0026showCalendars=0\u0026showTabs=1\u0026showPrint=0\u0026title=OpenSSF+Community+Calendar\u0026src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ\u0026color=%238E24AA)) \n\nVideo Call: [LFX z o o m](https://zoom-lfx.platform.linuxfoundation.org/meeting/95007214146?password=250040c3-80c0-48c4-80c1-07a373116d54) \n\n**_EMEA-friendly_** Every 4 Mondays at 7:00-8:00 AM Pacific ([OSSF Public Calendar](https://calendar.google.com/calendar/u/0/embed?height=600\u0026wkst=1\u0026bgcolor=%238E24AA\u0026showTitle=1\u0026mode=WEEK\u0026showCalendars=0\u0026showTabs=1\u0026showPrint=0\u0026title=OpenSSF+Community+Calendar\u0026src=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ\u0026color=%238E24AA))\n\nVideo Call: [LFX z o o m](https://zoom-lfx.platform.linuxfoundation.org/meeting/93377638314?password=d53af562-d908-4100-8ae1-52686756cc5d) \n\n#### Agenda\n\nYou can see the [agenda and meeting notes here](https://docs.google.com/document/d/1b6d3CVJLsl7YnTE7ZaZQHdkdYIvuOQ8rzAmvVdypOWM/edit?usp=sharing).\n\n\n## Stargazers over time\n\n[![Stargazers over time](https://starchart.cc/ossf/scorecard.svg)](https://starchart.cc/ossf/scorecard)\n\n\n## FAQ\n\n### FAQ\n\nSee the [FAQ](docs/faq.md) for answers to Frequently Asked Questions about Scorecard.\n","funding_links":[],"categories":["Go","others","Dependency intelligence","Miscellaneous","Open Source Security","Go (531)","Risk Management","Application Security","Other","Secure Programming","Project","Project Quality","Standards and Specifications","Supply Chain Compliance"],"sub_categories":["Vulnerability information exchange","14. Audit, Monitor and Security Tools","Network Security","Supply chain security","Tokens","Program Analysis","Flaky Test Detection"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fscorecard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fscorecard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fscorecard/lists"}