.svg)
In modern software development, we run on open-source. It’s the engine of innovation, allowing teams to build faster, smarter, and more efficiently. But this incredible leverage comes with a hidden risk that every engineering team faces.
When you add an open-source dependency to your project, you’re not just importing code; you're inheriting its entire security posture. Are you using a package that is actively maintained? Does it have a vulnerability disclosure process? Are its release artifacts secure?
Too often, the answer is a shrug. This is the critical problem of "dependency trust." Teams are forced to fly blind, using packages without real insight into their security practices and unknowingly exposing their own codebase to significant risk.
Until now.
Announcing OSSF Scorecards in Codacy
Our Security and Risk Management platform just got a significant upgrade. We've integrated OSSF Scorecards, giving you a powerful new way to measure and improve the security posture of your open-source dependencies: OSSF Scorecard integration.
Codacy now provides additional security insights for your dependencies by displaying assessment data directly from the Open Source Security Foundation (OSSF) Scorecard project, helping you determine if a dependency is safe for consumption.
What is the OSSF Scorecard? A Deeper Look
The Open Source Security Foundation (OSSF) is a cross-industry collaboration hosted by the Linux Foundation. It brings together leaders like Google, Microsoft, GitHub, and Intel with the shared mission of improving the security of open-source software for everyone.
One of its key initiatives is the OSSF Scorecard, an automated tool that evaluates open-source repositories against a comprehensive set of security best practices. The Scorecard performs numerous checks that dive deep into a project’s repository, assessing critical practices such as:
- Code Review: Are code review practices enforced?
- Branch Protection: Are important branches protected against direct commits?
- Vulnerability Management: Is there a documented vulnerability disclosure process?
- Dependency Security: Are dependency update tools and pinned dependencies used?
- Release Integrity: Are binary artifacts verified and releases signed?
- Security Policy: Is there a documented security policy for the project?
Each project is given an overall security score from 0 (worst) to 10 (best), providing a standardized health check at a glance.
From Raw Data to Actionable Insights in Codacy
When available, OSSF Scorecard information now appears directly on the dependency overview page in Codacy. This gives you not only the overall score but also the detailed results for individual checks.
This integration transforms abstract risk into a clear, actionable signal. For example, a dependency with a low score of 1.3 is an immediate red flag. A click into its report reveals why: It fails on fundamental checks like Code Review and being Actively Maintained.
In contrast, a dependency with a high score of 9.2 provides confidence. Its detailed report shows a mature security posture, passing checks for vulnerability management, signed releases, and token permissions.
Make Informed Decisions, Not Guesses
This information empowers you to make informed decisions about the security risks associated with your dependencies. With OSSF Scorecards integrated into Codacy, your team can:
- Assess Risk Instantly: Understand a dependency's security posture before you push it to production.
- Compare Alternatives: Objectively evaluate different open-source libraries based on a standardized metric.
- Identify Weak Links: Track packages that are no longer maintained, which used to be safe but now are not.
Ultimately, this feature is about replacing the uncertainty and guesswork of dependency management with clarity and confidence. It empowers your developers to build with the best open-source tools, backed by a clear, data-driven understanding of their entire software supply chain. Stop flying blind and start building on a foundation of trust.
Please note: Not all dependencies will have a score available, as OSSF Scorecards are not yet generated for every open-source project in existence. The coverage is continuously expanding.
