SRC005 — https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.chainguard.dev/unchained/wolfis-upstream-security-inspection-scanning-with-openssf-scorecard |
| Authors | Chainguard (John Speed Meyers, Head of Chainguard Labs implied) |
| Date | August 2, 2024 |
Content Summary¶
Chainguard scanned 1,511 GitHub repositories associated with Wolfi packages using OpenSSF Scorecard and found the average score is 5.4/10 with a bell-shaped distribution. More popular projects (by GitHub stars) score higher, with a 100x increase in stars associated with a 1-point increase in Scorecard score. Ruby and C packages averaged lower scores (4.8 and 4.7).
Reliability: Medium¶
Corporate blog post from a security company, but based on reproducible analysis of public data.
Relevance: High¶
Directly reports the 5.4 average score claimed — this is the apparent source of the specific figure.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Only analyzed 1,511 Wolfi-associated repos, not the full 1 million critical projects scanned by OpenSSF. |
| Measurement | Low risk | Used the standard OpenSSF Scorecard tool on publicly accessible repos. |
| Selective Reporting | Low risk | Reports both positive and negative findings including low scores for specific languages. |
| Randomization | N/A | Observational analysis. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | Some concerns | Chainguard sells security products — low scores support their product narrative, but analysis appears straightforward. |