Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Security
OpenSSF Scorecard

OpenSSF Scorecard

The OpenSSF Scorecard is an industry-standard set of automated checks for security posture of an open-source repo. fremforge runs it against every repo in your org on a weekly schedule and surfaces the result as a column on /<org>/_admin/repos.

The checks

Scorecard’s checks span build security, vulnerability hygiene, and project maturity. The headline ones:

  • Branch-Protection — is the default branch protected with required reviews + status checks?
  • Code-Review — what fraction of recent merges had a code review?
  • Pinned-Dependencies — are CI dependencies pinned to specific versions / SHAs?
  • Token-Permissions — does CI use least-privilege tokens?
  • Signed-Releases — are release artifacts cryptographically signed?
  • SAST — does the project run a static analyser in CI?
  • Vulnerabilities — does the dependency tree contain known CVEs?
  • Maintained — is the repo seeing recent commits / issues activity?

Each check returns a score 0–10. The overall score is the weighted average. A perfect 10 is rare; “good” is in the 7–9 range.

How fremforge runs it

The template at apps/api/src/assets/workflow-templates/scorecard-openssf.yaml:

  1. Runs on a weekly schedule (Monday 04:00 UTC) plus on every push to the default branch.
  2. Invokes the ossf/scorecard binary (cached in our SWR mirror — no public registry hops).
  3. POSTs the JSON output to https://frem.sh/_app/api/v1/scorecard/results.

fremforge caches the result per (tenant, repo) and renders the overall score as a column on the Repos page. Click a row to see per-check details.

Interpreting the score

The score is a directional signal, not a compliance gate. A repo with a score of 6.5 that includes a maintained library with branch-protection and SAST is in much better shape than a repo with score 8 that just happens to score well on cosmetic checks.

We do not recommend wiring “Scorecard score < X” into any merge-blocking rule. The right place for that gate is:

  • Branch-Protection failing → fix it on /<org>/_admin/repos (already a separate signal).
  • SAST failing → check /<org>/_admin/code-security (already a separate signal).

Use Scorecard to look at the gap between similar repos: if acme/api scores 8.5 and acme/web scores 6.5, where’s the gap and is it intentional?

Self-hosting note

The scorecard binary itself is open-source (Apache-2.0); fremforge runs it in your CI runners, not on our infrastructure. No code or commits leave your tenant boundary. The score JSON we ingest contains only the check results — no source snippets.

See also

  • Branch protection — drives the Branch-Protection score.
  • SBOMs — drives the Dependencies + Vulnerabilities scores.
Cosign signingBoM