Score open source repositories for supply-chain risk signals before adoption or release decisions with Scorecard
Check a repository against OpenSSF security heuristics before you trust it as a dependency, approve it for use, or ship from it.
What it does
Score open source repositories for supply-chain risk signals before adoption or release decisions with Scorecard
Check a repository against OpenSSF security heuristics before you trust it as a dependency, approve it for use, or ship from it.
Prerequisites
Scorecard CLI or GitHub Action, network access to the target repository host, and optional GitHub authentication for higher API limits.
Installation
Use the upstream install or setup path that matches your environment:
- docker pull ghcr.io/ossf/scorecard:latest
- docker pull ghcr.io/ossf/scorecard:v3.2.1
- docker run -e GITHUB_AUTH_TOKEN=token ghcr.io/ossf/scorecard:latest --show-details --repo=https://github.com/ossf/scorecard
- docker run -e GITHUB_AUTH_TOKEN=token ghcr.io/ossf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard
Requirements and caveats from upstream:
- Prerequisites
- projects the world depends on.
- If OSS consumers require certain behaviors from their dependencies,
Basic usage or getting-started notes:
-
Scorecard has been run on thousands of projects to monitor and track security
-
For example:
-
Extracted from upstream docs: https://raw.githubusercontent.com/ossf/scorecard/HEAD/README.md
Documentation
Source
Capabilities
Install
Quality
deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,543 chars)