OpenSSF Scorecard Integration
OpenSSF Scorecard - Security Health Metrics for Open Source Packages and Components
The OpenSSF Scorecard is an automated security compliance tool that performs “checks” associated with software security. It assigns each check a score of 0-10, with 10 being the highest level of compliance. You can use these scores to understand specific areas of security to improve in order to strengthen the security posture of your project. OpenSSF Scorecard is used to make informed decisions about accepting security risks within a codebase.
OpenSSF Scorecard data is derived from the Git Repository associated to the Component Version.
Note: Not all Component Versions associated to open source projects have implemented the Scorecard. In this case, a “0” is the default value.
Gathering Scorecard Metrics
When a Component Version is created, the OpenSSF Scorecard metrics are retrieved from Git and stored as part of Component Version configuration data.
The Scorecard Rest API call is made using the Git Repo and Git Commit as parameters. If the Scorecard metrics are not found a second call is made to the Rest API without the Git Commit.
Note: The Component Version must have the Git Repo and Git Commit fields set in order to retrieve the metrics from the Scorecard Rest API. The Git Repo and Git Commit can be added using the Ortelius CI/CD Integration.
Viewing Scorecard Metrics
On the Component Version details screen, the OpenSSF Scorecard section will be populated with the metrics found. OpenSSF Scorecard Pinned to Commit will be true if metrics were found for the corresponding git commit, otherwise it will be false. The other checks in the Scorecard will be ranked 0 to 10, with 10 being the best. All the checks will be 0 if no metrics are available.
View Scorecard Metrics for Package Dependencies
On the Component Version details screen, the Software Bill of Materials (SBOM) section includes the OSSF Scorecard column. This column is the overall average score for the package. The column will be 0 if no Scorecard exists for the package dependency.
Generating Scorecard Metrics
The CI/CD pipeline needs to generate the Scorecard metrics. See Scorecard Installation and Configuration for details.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.