Skip to main content

Repository Health (OSSF Scorecard)

Overview

Continuously track health scores for all repositories included in your applications based on key factors, such as code quality, dependency management, CI/CD best practices, and project maintenance.

Key Features

  • Continuous Repo Health Scoring – Continuously track health scores for all repositories included in your applications based on key factors, in areas such as code quality, dependency management, CI/CD best practices, and project maintenance. 

  • Automatic SCM-Triggered Scans – Integration with SCM platforms enables scans to be run automatically upon repository updates, ensuring up-to-date repo health metrics with no manual effort. 

  • Flexible On-Demand Scanning Options – In addition to automatic SCM-triggered scans, developers and security teams can manually run repo health scans at any time via API, CLI, or the Checkmarx One UI. 

  • Unified Risk Reporting – Repository health scores are included in Checkmarx One reports, providing visibility into – and efficient prioritization of – security vulnerabilities, code quality issues, and repository health risks, all in one place.

Limitations

  • Repository health (OSSF Scorecard) is currently supported only for GitHub repos.

Repository Health Checks

The SCS scanner identifies risks based on the following Repository Health checks.

Running Scans

Repository Health scans (OSSF Scorecard) can be run on your Checkmarx One projects via web application, CLI or REST API. It is also possible to set up a code repository integration that automatically triggers a scan whenever a pull request or push event occurs in the SCM. Learn more about running scans here.

Viewing Results

Repository Health (Scorecard) results are shown under the Software Supply Chain tab in your Workspace Workspace.png. See Viewing SCS Results

Notice

Alternatively, you can access the results for a specific project by opening the SCS results viewer for that project from the Projects tab.

Repository Health (Scorecard)

When the Scorecard scanner is selected in the SCS results viewer, results are grouped by the Repository Health check that identified the risk.

Hover over the info icon next to the name of a check type to see a description of that check.

Click on a check type to expand the section and show a list of risks of that type.

Image_1168.png

The following table describes the information shown for each risk.

Item

Description

Severity

The severity of the risk.

File/Artifact

The path to the file or artifact in which the risk was detected.

Remediation

Provides a link to the OSSF documentation which includes remediation recommendations for the relevant OSSF check.