C002 — OpenSSF Scorecard Average for Critical Projects — The claim is roughly even chance to likely correct in its specific form (40-55%), but directionally correct with higher confidence (75-85%). The 5.4 figure comes from Chainguard's Wolfi analysis, not OpenSSF's 1 million critical projects.

Contents

• Summary
• Results
• Hypotheses
• Searches
• Sources
• Evidence Snapshot
• Revisit Triggers

Summary

Claim: The average OpenSSF Scorecard score across the top one million critical open source projects is 5.4 out of 10.

Bottom Line: The 5.4 average Scorecard score is confirmed from Chainguard's analysis of 1,500 Wolfi upstream repos, not from OpenSSF's full 1 million critical projects. The 1 million project scanning program exists and publishes results to BigQuery. The 0-10 scoring methodology works as described. The specific 5.4 figure for the full population is unverified, though Chainguard notes that scores in the 4-6 range are 'typical' for open source projects. The popularity-score correlation suggests the critical projects set (selected for importance/popularity) might score higher than 5.4.

Results

Artifact	Description
Input	Original text, clarification, scope, vocabulary
Assessment	Evidence synthesis, probability assessment, gaps
Self-Audit	Process audit across 4 ROBIS domains
Reading List	Prioritized source list

Hypotheses

ID	Label	Status
H1		—
H2		—
H3		—

Searches

ID	Target	Returned	Selected
S01	H1	0	0
S02	H2	0	0
S03	H2	0	0
S04	H3	0	0

Sources

ID	Title	Reliability	Relevance
SRC001	https://arxiv.org/html/2602.14572v3	High	High
SRC002	https://www.chainguard.dev/unchained/wolfis-upstream-securit	Medium	High
SRC003	https://github.com/ossf/scorecard	High	High
SRC004	https://www.blackduck.com/blog/open-source-trends-ossra-repo	Medium	High
SRC005	https://www.scworld.com/news/open-source-vulnerabilities-per	Medium	High
SRC006	https://www.sonatype.com/state-of-the-software-supply-chain/	Medium	High
SRC007	https://www.sonatype.com/state-of-the-software-supply-chain/	Medium	High
SRC008	https://www.moderne.ai/blog/security-dependency-updates-unma	Medium	High
SRC009	https://konvu.com/compare/semgrep-vs-codeql	Medium	High
SRC010	https://arxiv.org/html/2605.07900v1	High	High
SRC011	https://arxiv.org/html/2409.07669v2	High	High
SRC012	https://openssf.org/blog/2024/01/31/maintainer-motivations-c	High	High
SRC013	https://link.springer.com/article/10.1007/s10664-023-10369-w	High	Medium

Evidence Snapshot

Dimension	Rating
Evidence quality	Medium
Source agreement	Medium

Revisit Triggers

• [organization] OpenSSF publishes aggregate Scorecard statistics (mean, median, distribution) for the 1 million critical projects
• [study] A researcher queries the BigQuery public dataset to compute the actual mean Scorecard score
• [policy] The Scorecard methodology changes significantly (new checks, different weighting)
• [data_update] Chainguard updates their Wolfi upstream analysis with a new average score

← Back to run overview