# OpenSSF ScoreCard

### What is OpenSSF 

Open Source Security Foundation (OpenSSF) is an industry collaboration focused on improving the security of open-source software. The OpenSSF aims to bring together various stakeholders to address security challenges in open-source software and to create resources and initiatives that enhance the overall security posture of the open-source ecosystem.

This framework, when integrated in Delivery Shield, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails. 

### Example of OpenSSF policies in Delivery Shield

* **Open SSF Binary Artifacts Policy** - This check determines whether the project has generated executable (binary) artifacts in the source repository.
* **Open SSF CI Tests Policy** - This assesses if the project enforces running tests before merging pull requests, currently applicable only to GitHub-hosted repositories, excluding other source hosting platforms.
* **Open SSF Packaging Policy** - This assesses if the project is released as a package, but only works for GitHub repositories, excluding other source hosting platforms.
* **Open SSF Signed Releases Policy** - This determines if the project cryptographically signs release artefacts.
* **Open SSF Token Permissions Policy** - This Determines Whether the project automated workflow tokens follow the principle of least privilege. 

Refer [OpenSSF](https://openssf.org/about/) for more information. 

To enable the OpenSSF scan, we need to integrate it with Delivery Shield. 

### To Integrate OpenSSF:

1. Navigate to **Config** > **Integrations**.
2. In the **Source** panel, click on **OpenSSF**.

<figure><img src="https://lh7-us.googleusercontent.com/-PLBBpceAq11TR7pX6FwCQL0QaLiceTqRqgjxlTEHUxKO-kaFTm9oycfxxOc7tQVBkYc2ivGS1OxXM4XJbVN_wtnutioz3VF6NggzVh2hqKntjp7PpvhgBrzdbAHcIQpL71zwuFa28_dgx1HNky9NfI" alt=""><figcaption></figcaption></figure>

3. The OpenSSF integration page is displayed.

<figure><img src="https://lh7-us.googleusercontent.com/oj2W6P3JF1sHBdl6YVnZptjNppFA1oJf7O6BiTTzzBICVBe6tCLGz8BBTdAPCh_Av5sb2dTW6sWwXVmPEtaknaU3UxiFwNEPKDsINEBCHweba2Jcv_x62zZpH82NHXW95RYt3hV87TSXvlP4ZF6Y3uE" alt=""><figcaption></figcaption></figure>

4. Enter the **URL** and **Token** values of your OpenSSF account.
5. Click **Save**. The tool is integrated in the source stage.&#x20;
6. You can edit the entered values by clicking the **Edit** option as shown below:
7. Enter the new **URL** and **Token** value and click **Update**. The new values get updated.&#x20;

Now the OpenSSF scan can be disabled or enabled. \
\ <br>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.opsmx.com/opsmx-1/opsmx-delivery-shield-platform/user-guide/compliance-automation/openssf-scorecard.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.