Robustness
Definition: The ability of an ecosystem to recover from internal or external conflicts.
Metrics Models
Scorecard
| Metric Name | Definition | Score Range | Weight | Risk Level |
|---|---|---|---|---|
| Binary Artifacts | Checks whether the project contains generated binary files | 0-10 | 10% | High |
| Branch Protection | Checks if the default and release branches are protected | 0-10 | 10% | High |
| CI Tests | Checks if the project runs tests before merging PRs | 0-10 | 8% | Low |
| CII Best Practices | Checks if the project has an OpenSSF Best Practices badge | 0-10 | 8% | Low |
| Code Review | Checks if the project requires manual code review | 0-10 | 10% | High |
| Contributors | Checks if the project has contributors from multiple organizations | 0-10 | 5% | Low |
| Dangerous Workflow | Checks for dangerous code patterns in GitHub Actions workflows | 0-10 | 10% | Critical |
| Dependency Update Tool | Checks if the project uses a dependency update tool | 0-10 | 8% | High |
| Fuzzing | Checks if the project uses fuzz testing | 0-10 | 5% | Medium |
| License | Checks if the project has a license | 0-10 | 5% | Low |
| Maintained | Checks if the project is actively maintained | 0-10 | 8% | High |
| Packaging | Checks if the project is published as a package | 0-10 | 5% | Medium |
| Pinned Dependencies | Checks if the project pins its dependencies | 0-10 | 8% | Medium |
| SAST | Checks if the project uses static application security testing | 0-10 | 5% | Medium |
| SBOM | Checks if the project maintains a Software Bill of Materials | 0-10 | 5% | Medium |
| Security Policy | Checks if the project has a security policy | 0-10 | 5% | Medium |
| Signed Releases | Checks if the project cryptographically signs its release artifacts | 0-10 | 8% | High |
| Token Permissions | Checks if the automated workflow tokens follow the principle of least privilege | 0-10 | 8% | High |
| Vulnerabilities | Checks if the project has unfixed vulnerabilities | 0-10 | 8% | High |
| Webhooks | Checks if webhooks are configured with token authentication | 0-10 | 5% | Critical |
Criticality Score
| Metric Name | Definition | Threshold | Weight |
|---|---|---|---|
| Created Since | Time since project creation (in months) | 9.523% | 120 |
| Updated Since | Time since last project update (in months) | -9.523% | 120 |
| Contributor Count | Number of project contributors (with commit history) | 19.047% | 5000 |
| Org Count | Number of different organizations contributors belong to | 9.523% | 10 |
| Commit Frequency | Average weekly commits in the last year | 9.523% | 1000 |
| Recent Releases Count | Number of releases in the last year | 4.761% | 26 |
| Closed Issues Count | Number of closed issues in the last 90 days | 4.761% | 5000 |
| Updated Issues Count | Number of updated issues in the last 90 days | 4.761% | 5000 |
| Comment Frequency | Average comments per issue in the last 90 days | 9.523% | 15 |
| Dependents Count | Number of times the project is mentioned by other projects in commit messages | 19.047% | 50 |
CII Best Practices Badge
| Metric Name | Definition |
|---|---|
| Badge Level | Assesses whether an open source project adopts a set of security-focused best development practices |