A fair number of projects are pursuing the OpenSSF scorecard process in addition to (or instead of?) the OpenSSF Best Practices badging. (The badge is worth one point on the ten point Scorecard). The program is described here: https://scorecard.dev/. There is the capability to view project records here: https://securityscorecards.dev/viewer/ (which I haven't found publicly linked). And there is an API from which JSON files for individual projects (specified by <platform>/<org><repo>) can be downloaded here: https://api.scorecard.dev/projects/. The JSON file includes a score field with the current aggregate score, as well as a lot of other detail.
On the website, this could be handled similarly to the OpenSSF BP progress.
Vincente Bolea and Patrick O'Leary, who are doing a lot of the work with project teams on the Scorecard, believe that there may be some sensitivity to low scores showing for projects early in the process. Personally, I'm inclined to show everything, but we could setup the website to only display the Scorecard score once it reaches some minimum threshold (value to be determined).
A fair number of projects are pursuing the OpenSSF scorecard process in addition to (or instead of?) the OpenSSF Best Practices badging. (The badge is worth one point on the ten point Scorecard). The program is described here: https://scorecard.dev/. There is the capability to view project records here: https://securityscorecards.dev/viewer/ (which I haven't found publicly linked). And there is an API from which JSON files for individual projects (specified by
<platform>/<org><repo>) can be downloaded here: https://api.scorecard.dev/projects/. The JSON file includes ascorefield with the current aggregate score, as well as a lot of other detail.On the website, this could be handled similarly to the OpenSSF BP progress.
Vincente Bolea and Patrick O'Leary, who are doing a lot of the work with project teams on the Scorecard, believe that there may be some sensitivity to low scores showing for projects early in the process. Personally, I'm inclined to show everything, but we could setup the website to only display the Scorecard score once it reaches some minimum threshold (value to be determined).