OpenSSF Scorecard: On the Path Toward Ecosystem-wide Automated Security Metrics

Abstract

The OpenSSF Scorecard project is an automated tool to monitor the security health of open-source software. This study evaluates the applicability of the Scorecard tool and compares the security practices and gaps in the npm and PyPI ecosystems.