C002 — OpenSSF Scorecard Average of 5.4 Out of 10 — Unlikely as stated (20-45%)
Contents
Summary
Claim: The average OpenSSF Scorecard score across the top one million critical open source projects is 5.4 out of 10.
Bottom Line: The claim conflates two separate facts: OpenSSF scans 1 million critical projects weekly (confirmed), and the average Scorecard score is 5.4 (confirmed for Chainguard's analysis of 1,511 Wolfi packages). No source combines these into the claim as stated. The 5.4 figure is plausible for the broader ecosystem (Chainguard notes it is 'typical') but is not confirmed for the 1M critical project population.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Hypotheses
| ID |
Label |
Status |
| H1 |
|
— |
| H2 |
|
— |
| H3 |
|
— |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
H1 |
0 |
0 |
| S02 |
H2 |
0 |
0 |
| S03 |
H3 |
? |
? |
| S04 |
H1 |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC003 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
High |
High |
| SRC004 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC005 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
| SRC006 |
https://www.sonatype.com/press-releases/sonatypes-10th-annua |
High |
High |
| SRC007 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC008 |
https://github.com/ossf/scorecard |
High |
High |
| SRC009 |
https://blog.jetbrains.com/teamcity/2025/10/the-state-of-cic |
Medium |
Medium |
| SRC010 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC011 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC012 |
https://thenewstack.io/checking-linuxs-code-with-static-anal |
High |
High |
| SRC013 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
Medium |
Revisit Triggers
- [data_update] OpenSSF publishes an aggregate average Scorecard score from their 1M critical project BigQuery dataset.
- [study] An academic paper computing mean/median Scorecard scores from the BigQuery public dataset is published.
- [study] Chainguard or another organization publishes a Scorecard analysis of a larger population (>10,000 projects).
- [event] OpenSSF Scorecard methodology changes significantly (e.g., adding or removing checks, changing weights).
← Back to run overview