Question 1

How to add a Scorecard badge to my GitHub repository readme?

Accepted Answer

Enable 'publish_results: true' in the Scorecard GitHub Action settings, then add the markdown badge code from the README. The badge auto-updates with each scan to show your current security score.

Question 2

OpenSSF Scorecard vs Snyk for open source security scanning?

Accepted Answer

Scorecard focuses on repository-level security practices like branch protection and CI tests, while Snyk specializes in dependency vulnerability scanning. Scorecard is free and automated, but Snyk offers more detailed vulnerability databases and commercial support.

Question 3

Does Scorecard work with private GitLab repositories?

Accepted Answer

Yes, but you need a GitLab access token with read permissions. Note that some checks, such as SAST, are unsupported for GitLab, so results may be incomplete compared to GitHub.

Question 4

How to fix a low 'Pinned-Dependencies' score in Scorecard?

Accepted Answer

Pin all dependencies in configuration files like package.json or requirements.txt to specific versions or commit hashes. Use tools like Dependabot to automate updates while maintaining pins.

Question 5

What authentication token is needed for Scorecard CLI on GitHub?

Accepted Answer

Use a GitHub personal access token with the 'public_repo' scope, or a GitHub App installation for higher rate limits. Set it as the GITHUB_AUTH_TOKEN environment variable before running the CLI.

Question 6

Can Scorecard check vulnerabilities in npm or PyPI packages directly?

Accepted Answer

Scorecard can analyze the GitHub source repo of a package using flags like --npm or --pypi, but it doesn't scan the packaged artifacts themselves. It relies on the OSV service for vulnerability data linked to the repository.

scorecard

What is scorecard?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions