SRC007 — https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard |
| Authors | Chainguard (John Speed Meyers implied, Head of Chainguard Labs) |
| Date | August 2, 2024 |
Content Summary¶
Chainguard scanned 1,511 GitHub repositories in the Wolfi distribution using OpenSSF Scorecard and found the mean aggregate score was 5.4 out of 10, with a bell-shaped distribution. Popular projects (measured by GitHub stars) scored higher: a 100x increase in stars correlated with a one-point score increase. Ruby and C packages had notably lower average scores (4.8 and 4.7).
Reliability: Medium¶
Corporate blog post from a reputable security company, but not peer-reviewed; analysis covers Wolfi distribution packages specifically.
Relevance: High¶
Provides the exact 5.4 average Scorecard score, though for Wolfi upstream packages rather than 'top one million critical projects'.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Only covers 1,511 Wolfi packages, not the broader critical project set. |
| Measurement | Low risk | Used the standard OpenSSF Scorecard tool without modification. |
| Selective Reporting | Low risk | Reports full distribution including unfavorable findings about language-specific differences. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | Some concerns | Chainguard sells security-focused container images; lower upstream scores could support their product narrative. |