SRC002 — https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard |
| Authors | Chainguard / Chainguard Labs |
| Date | 2024-08-02 |
Content Summary¶
Chainguard's analysis of OpenSSF Scorecard scores for 1,511 upstream Wolfi package repositories on GitHub. Found an average score of 5.4 out of 10 with a bell-shaped distribution. A 100x increase in GitHub stars correlates with a one-point Scorecard increase. Ruby and C packages scored notably lower (4.8 and 4.7).
Reliability: Medium¶
Corporate blog post with transparent methodology but not peer-reviewed; Chainguard is a security company with commercial interests.
Relevance: High¶
Directly reports the 5.4 average Scorecard score that matches the researcher's claim, with distribution data.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Only 62% of Wolfi packages had GitHub URLs; sample is Wolfi-specific, not the full 1 million critical projects. |
| Measurement | Low risk | Used standard OpenSSF Scorecard tool on actual repositories. |
| Selective Reporting | Low risk | Reported both positive and negative findings, including that scores are 'typical' rather than alarming. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | Some concerns | Chainguard sells container security products and has commercial interest in highlighting security gaps. |