The Open Source Security Foundation (OpenSSF) runs "checks" on open source projects to create a scorecard for each project, assessed against GitHub repositories. You can learn more about OpenSSF Scorecard here. For detailed information on individual scorecard checks, see the Scorecard GitHub documentation.
Tidelift continuously ingests the OpenSSF Scorecard checks into our data, and makes the data available via our API and UX.
OpenSSF checks have these benefits:
- they are a third-party standard
- they include some source code repository checks that Tidelift does not provide natively
OpenSSF Scorecard checks also have some limitations:
- they generally do not have manual corrections, for example if a license is not available in easy machine-readable form, OpenSSF may say it is missing but Tidelift may know it is present
- some of them are controversial for example not all maintainers agree that pinned dependencies are a good practice
- it is a singular set of criteria applied to packages, regardless of package function or ecosystem
The checks performed by the OpenSSF Scorecards project can be another input into your assessment of good and bad open source packages.
Tidelift ensures that your open source is following these best practices
Tidelift is the only company that is in business contracts with the maintainers behind thousands of open source packages to uphold a set of secure development practices that increase their scores on the OpenSSF Scorecard. You can read more about the impact of our work here.