Additional Resources #
2022 Open Source Security and Analysis Report: This report by Synopsys “examines vulnerabilities and license conflicts found in more than 2,400 codebases across 17 industries. The report offers recommendations to help security, legal, risk, and development teams better understand the security and risk landscape accompanying open source development and use.”
OpenSSF Scorecard: This tool checks for vulnerabilities affecting different parts of the software supply chain including source code, build, dependencies, testing, and project maintenance. Each automated check returns a score out of 10 and a risk level. The risk level adds a weighting to the score, and this weighting is compiled into a single, aggregate score. This score helps give a sense of the overall security posture of a project. Alongside the scores, the tool provides remediation prompts to help you fix problems and strengthen your development practices.
Concise Guide for Evaluating Open Source Software: This guide, aimed at software developers, provides a series of technical questions to work through before adopting open source software dependencies or tools to evaluate their security and sustainability.