Scorecards prominently noted in Sonatype's 2022 report

David A. Wheeler

In case you didn't see it, there's lots of info in
Sonatype's 8th annual "State of the Software Supply Chain Report" (2022):

It prominently notes Scorecards. They even found a model for using
Scorecards + MTTU to predict the likelihood of known vulnerabilities in a component.
Their analysis suggests that these are the most important Scorecards signals (given their dataset):
* "code review emerges as the most important factor. Code review has long been identified as a high-impact practice that can substantially improve code quality."
* "Binaries provide another attack path, decrease transparency, and reduce auditability of code. So, not having them checked into the repository was the second most important factor."
* "Pinning dependencies was the third most important factor, hinting at the importance of dependency management in maintaining secure software."
* "Branch protection, which enables a formal approval process for code changes and pairs well with code review, was the next most important factor."

More info here on their model/analysis is in this section:

--- David A. Wheeler