The Linux Foundation Member Summit 2022

Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained? When a new dependency is included, wouldn't it be nice to get a score of the dependencies' health? Enter OSSF Scorecard. Scorecards is an automated tool that assesses several important heuristics ("checks") associated with software security and assigns each check a score of 0-10. These scores help understand specific areas to improve to strengthen the security posture of a dependency. Projects like enoyproxy,tensorflow, and flutter use Scorecard. This talk will introduce Scorecard, a tool that scans many risky patterns in the development life cycle. The scorecard project runs a weekly scan of 1M critical projects, and we will provide some findings about the results. Developers can use these public results to assess the risk associated with dependencies they use, with a real example of projects doing that today. We will demonstrate how a given project can understand the risk by using Scorecard's New REST API for querying the health of the OSS dependency.