Open Source Security Foundation (OSSF)

Open Source Security Foundation (OSSF)

Health metrics for Open Source projects using scorecard

Prerequisite for funding via Secure Open Source (SOS) Rewards

Checks (exerpt)

Branch protection

Code Review in PRs

Dependency update tool

Signed releases

Example

scorecard --repo=github.com/moby/moby

Scorecard data

One million critical open source projects are scanned weekly

Data is shared publicly

REST API

PROJECT=github.com/moby/moby
curl -s https://api.securityscorecards.dev/projects/${PROJECT} \
| jq --raw-output '.checks[] | "\(.name): \(.score)"'

Google BigQuery

Use web-based BigQuery Explorer

Use bq on the console (part of gcloud)