Security scorecards for open source projects

Received these results for my own open source project:<p><pre><code> .&#x2F;scorecard --repo=github.com&#x2F;bookstackapp&#x2F;bookstack &lt;removed status text&gt; RESULTS ------- Active: Pass 10 CI-Tests: Pass 8 CII-Best-Practices: Fail 10 Code-Review: Fail 10 Contributors: Pass 10 Frozen-Deps: Pass 10 Fuzzing: Fail 3 Pull-Requests: Pass 7 SAST: Fail 0 Security-Policy: Fail 10 Signed-Releases: Fail 0 Signed-Tags: Pass 10 </code></pre> Results appear fair and accurate. I am confused though in how this project is intended to work at a higher level. The blogpost states:<p>&gt; The goal of the Scorecards project is to auto-generate a “security score” for open source projects to help users as they decide the trust, risk, and security posture for their use case.<p>Will there be a centralised site to gather and display scores for open source projects? Or will it be up to the open source projects themselves to integrate this into their pages and, if so, what does that look like? Some kind of badge or a listing of the results as above? Just trying to understand how end-users will be interpreting the results in a consistent and trusted manner.

The usage example in the README gives Kubernetes a 10&#x2F;10 on security. Would it score that highly if the tool took into consideration all of its dependencies? <a href="https:&#x2F;&#x2F;github.com&#x2F;kubernetes&#x2F;kubernetes&#x2F;blob&#x2F;master&#x2F;vendor&#x2F;modules.txt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;kubernetes&#x2F;kubernetes&#x2F;blob&#x2F;master&#x2F;vendor&#x2F;...</a>

It seems like an awful waste for me to run these on each of my dependencies in real time. I expected some list that is just maintained and pinged for values.<p>Also, this scorecard doesn’t look for CVEs or problems in particular versions. It seems like it’s much more important that there’s a valid vulnerability in version 1.04 that I’m using than the current version has code reviews for everything.<p>The reason I care is that I wish there was some stamp of approval on pypi packages that would make it easier for me to trust particular packages and releases.