C002 — OpenSSF Scorecard Average for Critical Projects — Self-Audit¶
Contents¶
Process Audit (Analytical Domains)¶
| Domain | Rating | Rationale |
|---|---|---|
| Evaluation Consistency | Pass | The Chainguard blog (commercial source, medium reliability) and the OpenSSF Scorecard repo (primary source, high reliability) were scored consistently. The Chainguard blog was not given undue weight d |
| Synthesis Fairness | Pass | The synthesis fairly represented the population mismatch as the central finding. It did not dismiss the 5.4 figure entirely (the Chainguard source notes it is 'typical') nor accept it uncritically for |
Source-Back Verification¶
Sources verified: 2
Discrepancies¶
- minor at https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard
- Assessment claims: The assessment states the 5.4 figure comes from Chainguard's analysis of 1,500 Wolfi upstream repos, not the 1 million critical projects.
- Source actually says: The source explicitly states 'We evaluated the security of upstream Wolfi packages by running the OpenSSF Scorecard tool on 1,500+ GitHub repositories' and 'The average score is 5.4 out of 10.' This is correctly attributed.