scorecarddev
The scorecarddev analyzer fetches OpenSSF Scorecard security assessments for the image source repository.
Overview
- Analyzer Name:
scorecarddev - External API:
https://api.securityscorecards.dev - Output Schema:
scorecarddev.schema.json
Functionality
Security Scorecard evaluates the source material of a container by:
- Source Repo Resolution: Identifies the GitHub/GitLab repository from OCI labels or Docker Hub metadata.
- API Integration: Queries the OpenSSF Scorecard API for that repository.
- Check Reporting: Summarizes individual security checks such as "Binary-Artifacts", "Code-Review", "Dependency-Update-Tool", and "Signed-Releases".