ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

OPENSSF-SCORECARD

OpenSSF Scorecard automated OSS security score.

Definition

Scorecard checks (~20 automated): Binary-Artifacts (no checked-in binaries), Branch-Protection (release branches protected), CI-Tests (CI tests run), CII-Best-Practices (CII Best Practices badge), Code-Review (PRs reviewed >=1 person), Contributors (active contributors), Dangerous-Workflow (GitHub Actions workflows safe), Dependency-Update-Tool (Dependabot/Renovate enabled), Fuzzing (fuzz testing setup), License (LICENSE file), Maintained (active maintenance), Packaging (released via package manager), Pinned-Dependencies (versions pinned), SAST (static analysis security testing), Security-Policy (SECURITY.md present), Signed-Releases (release artifacts signed), Token-Permissions (GitHub workflow tokens permissions least-privilege), Vulnerabilities (known vulns), Webhooks (webhooks limited), Build-Required (build steps machine-readable). Score 0-10 calculated weighted formula. Scorecard CLI runs locally, scorecard.dev API service hosts results ~1M OSS projects scored, GitHub Actions workflow integration. Use cases: OpenSSF Securing Critical Projects Working Group, Google AssuredOSS, npm dependencies vetting tools.

Origin

OpenSSF Scorecard initial release 2020 by Google ; donated OpenSSF Linux Foundation 2021 ; v4.0+ active 2024 ; ~1M OSS projects scored 2024 on scorecard.dev API.

Example in context

Enterprise security team integrates Scorecard GitHub Action in CI pipeline: npm dependencies scanning calculation Scorecard score per dependency, threshold policy 'dependencies must score >=7' fails build if non-compliance dependency low score, alert Slack security channel.

Last updated: May 16, 2026