← Back to all briefings

Cybersecurity · Credibility 87/100 · · 1 min read

Security Briefing — OpenSSF Scorecard 5.0 Release

The Open Source Security Foundation released Scorecard 5.0 on September 7, 2023, expanding automated supply chain checks with new security metrics, SARIF support, and GitHub Advanced Security integration options.

Executive briefing: The OpenSSF Scorecard project shipped version 5.0 on . The update strengthens maintainability and risk scoring for open-source repositories consumed by enterprise software teams.

Key updates

  • New checks. Scorecard 5.0 adds branch protection, CII Best Practices, and fuzzing adoption metrics to the automated assessment.
  • SARIF export. Results can be exported in SARIF format for ingestion into GitHub Advanced Security and other security dashboards.
  • Tokenless GitHub access. The release introduces GitHub App authentication for large-scale scanning without distributing PATs.

Implementation guidance

  • Integrate Scorecard 5.0 checks into dependency risk reviews and platform security scorecards.
  • Leverage SARIF outputs to surface upstream risks inside existing code scanning workflows.
  • Adopt GitHub App authentication to scale scanning across thousands of repositories without storing long-lived tokens.
  • OpenSSF Scorecard
  • Software supply chain
  • Open source security
  • Risk scoring
Back to curated briefings