Most software is built with hundreds if not thousands of dependencies and transitive dependencies. Knowing the health of these dependencies in your software is a daunting task. How do you know which dependencies are maintained?Wouldn’t it be nice to get a score of the dependencies’ health? Enter OSSF Scorecard. Scorecards is an automated tool that assesses several important heuristics (“checks”) associated with software security and assigns each check a score of 0-10. This talk will introduce Scorecard, a tool that scans many risky patterns in the development life cycle. The scorecard project runs a weekly scan of 1M critical projects, and we will provide some findings about the results. Developers can use these public results to assess the risk associated with dependencies they use.
Naveen contributes to fun OSS projects like https://github.com/ossf and other supply chain security projects. http://github.com/naveensrinivasan.
He was awarded the Google Open Source Peer Bonus Award in 2021 and 2022 for his contributions to Open Source Software (OSS). He maintains a few OSS projects.
