SRC008 — https://github.com/ossf/scorecard¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://github.com/ossf/scorecard |
| Authors | OpenSSF Scorecard maintainers |
Content Summary¶
The official OpenSSF Scorecard GitHub repository states: 'We run a weekly Scorecard scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a BigQuery public dataset.' The tool performs 18 checks scored 0-10, with aggregate scores weighted by risk level (Critical=10, High=7.5, Medium=5, Low=2.5).
Reliability: High¶
Primary source: official project repository for OpenSSF Scorecard.
Relevance: High¶
Confirms that OpenSSF scans 1 million critical projects weekly and publishes results, directly relevant to claim C002.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Repository documents the tool but does not report aggregate score statistics. |
| Measurement | Low risk | Well-documented methodology with transparent scoring criteria. |
| Selective Reporting | Low risk | Open source project with transparent methods. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | Low risk | Non-profit foundation project. |