Key takeaways
- Automated security scoring for any open source project — 18 checks across three themes (holistic security practices, source code risk, build process risk) including branch protection, dependency updates, SAST, fuzzing, signed releases, and maintained status
- Backed by the Open Source Security Foundation (Linux Foundation), launched by Google/OpenSSF in November 2020. Scores any public GitHub repo instantly via CLI, API, or GitHub Action
- Weekly scans evaluate 1M+ of the most-used OSS projects, published as a public BigQuery dataset — the closest thing to a standardized "credit score" for dependency trust
- Actively maintained: v5.5.0 shipped April 2026 with per-repo-type check skipping and improved Branch-Protection, Dangerous-Workflow, and Fuzzing checks
- Peer-reviewed research found no clean correlation between high Scorecard scores and fewer vulnerabilities — treat scores as process hygiene signal, not a security guarantee
FAQ
What is OpenSSF Scorecard?
An automated tool that scores open source projects 0-10 across 18 security checks grouped into three risk themes. Backed by the Open Source Security Foundation (Linux Foundation). Provides a standardized trust score for any public GitHub repository.
Is OpenSSF Scorecard free?
Yes. Scorecard is free, open source (Apache 2.0), and run by the OpenSSF. The CLI, REST API, GitHub Action, and weekly BigQuery dataset are all free to use.
How many projects does Scorecard scan?
The OpenSSF runs weekly scans of over 1 million of the most-used open source projects and publishes results to a public BigQuery dataset, as of June 2026.
Do high Scorecard scores mean a project is secure?
Not necessarily. Scorecard measures process hygiene (branch protection, dependency pinning, CI checks), not code quality. A 2023 peer-reviewed study of npm and PyPI packages found no clean negative correlation between scores and reported vulnerabilities, and some checks (like pinned dependencies) remain debated.
Overview
OpenSSF Scorecard automatically assesses open source projects against 18 security checks spanning three themes — holistic security practices, source code risk assessment, and build process risk assessment.[1] Checks cover branch protection, dependency update tooling, SAST usage, fuzzing, signed releases, dangerous workflow patterns, and maintained status.[2] It produces a 0-10 score that serves as a standardized trust metric for open source dependencies.
Launched by the OpenSSF (Open Source Security Foundation, a Linux Foundation project) in November 2020, Scorecard is developed under the OpenSSF Best Practices Working Group with contributors across the ecosystem, including Google.[3] It scores any public GitHub repo instantly via CLI or REST API, and the Scorecard GitHub Action embeds scoring into CI. Weekly scans evaluate over 1 million of the most-used OSS projects, published to a public BigQuery dataset for ecosystem-wide analysis.[1]
Current State (June 2026)
The project is healthy and actively maintained: ~5,500 GitHub stars, commits landing in June 2026, and a steady release cadence.[4] The latest release, v5.5.0 (April 23, 2026), moved Docker images to GitHub Container Registry, added automatic skipping of checks that don't apply to a repository's type, and improved the Branch-Protection, Dangerous-Workflow, and Fuzzing checks; v5.4.0 (November 2025) and v5.3.0 (September 2025) preceded it.[5]
The project completed its naming consolidation — it is now consistently "OpenSSF Scorecard," retiring the older "Security Scorecards" name.[1] Adopters citing it publicly include Distroless, Kaniko, and Envoy, and CISA lists Scorecard among its recommended resources.
Pricing: Free and open source (Apache 2.0) — CLI, API, GitHub Action, and the BigQuery dataset all cost nothing.[4]
Competitive Position
Strengths: Standardized scoring with neutral foundation governance (OpenSSF/Linux Foundation). Massive public dataset — 1M+ repos scored weekly. Frictionless CI integration via the Scorecard GitHub Action. Free at every layer.
Weaknesses: Scores are surface-level — they measure process compliance, not code security. Gaming is possible (check the boxes without real security improvement). Public GitHub/GitLab repos only. A single check rubric applied uniformly regardless of project type or ecosystem, though v5.5.0's repo-type-aware check skipping begins to address this.[5]
Cautions
- Scores don't cleanly predict security outcomes. A peer-reviewed ICSE-SEIP 2023 study of 2,422 npm and PyPI packages by Zahan et al. found a counterintuitive positive association between aggregate security-practice scores and reported vulnerabilities — high scores did not mean fewer vulns.[6] Treat Scorecard as a hygiene signal, not a security audit.
- Contested checks. Some checks remain debated — not all maintainers agree pinned dependencies are net-positive, and the uniform rubric penalizes projects where certain practices don't apply.[6]
- Gaming risk. Because checks are automated and public, a motivated project can optimize for the score without improving real security posture.
Bottom Line
Recommended for: Organizations that need a fast, free, standardized first-pass trust signal across thousands of open source dependencies; maintainers who want a concrete hygiene checklist and a public badge via the Scorecard GitHub Action.
Not recommended for: Anyone treating the 0-10 score as a security guarantee or a substitute for code audit — it measures process, not vulnerabilities — or for evaluating private/internal repositories.
Outlook: Strong. Foundation governance, an active release cadence (v5.5.0 in April 2026), and the 1M+-repo weekly dataset make Scorecard the de facto baseline metric for OSS supply-chain trust. Expect continued refinement toward ecosystem-aware scoring; the open question is whether the research-documented gap between scores and actual vulnerability outcomes narrows as checks mature.[6]
Research by Ry Walker Research