In case you didn't see it, there's lots of info in
Sonatype's 8th annual "State of the Software Supply Chain Report" (2022):
https://www.sonatype.com/state-of-the-software-supply-chain/introduction

It prominently notes Scorecards. They even found a model for using
Scorecards + MTTU to predict the likelihood of known vulnerabilities in a component.
Their analysis suggests that these are the most important Scorecards signals (given their dataset):
* "code review emerges as the most important factor. Code review has long been identified as a high-impact practice that can substantially improve code quality."
* "Binaries provide another attack path, decrease transparency, and reduce auditability of code. So, not having them checked into the repository was the second most important factor."
* "Pinning dependencies was the third most important factor, hinting at the importance of dependency management in maintaining secure software."
* "Branch protection, which enables a formal approval process for code changes and pairs well with code review, was the next most important factor."

More info here on their model/analysis is in this section:
https://www.sonatype.com/state-of-the-software-supply-chain/project-quality-metrics

--- David A. Wheeler