Simple Container hits a perfect 10 on the OpenSSF Scorecard
A tool that runs inside your CI/CD pipeline and provisions resources in your cloud accounts has no business asking for trust it can’t prove. So we set out to prove it — externally, mechanically, against the toughest open standards we could find.
As of June 21, 2026, Simple Container scores a perfect 10/10 on the OpenSSF Scorecard — every one of the eighteen checks at maximum — and holds the OpenSSF Best Practices Gold badge, with the passing, silver, and gold tiers all at 100%.
Both are third-party assessments. Neither is our word. You can click the badges above and check the live numbers right now.
Why this matters
From our security policy:
“Simple Container (
sc) is an OSS supply-chain tool that runs in consumer CI/CD and provisions cloud resources in customer accounts. A vulnerability in this codebase can propagate downstream to every consumer, so we treat all reports as high priority.”
That’s the whole argument. sc sits at a chokepoint: it builds, signs, and ships your software, and it stands up the infrastructure that runs it. If that link in the chain is weak, every project downstream inherits the weakness. A supply-chain tool that isn’t itself supply-chain-hardened is a contradiction. The Scorecard and the Best Practices badge are how we make the claim falsifiable instead of rhetorical.
What a perfect 10 actually covers
The OpenSSF Scorecard runs eighteen independent checks, weekly, automatically. All eighteen are at 10/10. Grouped by what they protect:
Verifiable, tamper-evident releases
- Signed-Releases — every release is signed with keyless cosign, logged in the Rekor transparency log.
- Packaging + Binary-Artifacts — published through the pipeline; no unreviewed binaries committed to the tree.
- On top of the check itself: SLSA Build L3 provenance and a CycloneDX SBOM attached to every release — and the builds are now bit-for-bit reproducible, so anyone can rebuild the same source and confirm the published artifact matches.
Dependency hygiene
- Pinned-Dependencies — actions and base images pinned by digest, not floating tags.
- Dependency-Update-Tool — a two-stream Dependabot setup (security-first ecosystems, plus grouped version bumps).
- Vulnerabilities —
govulncheck, Trivy, and GHSA tracking gate every PR and merge.
Code and CI integrity
- Branch-Protection + Code-Review — no unreviewed code reaches
main. - Token-Permissions — least privilege per CI job: read-only by default,
writeonly where a job genuinely needs it. - Dangerous-Workflow — no script-injection or self-hosted-runner footguns.
- SAST — CodeQL and Semgrep on every change.
- CI-Tests + Fuzzing — tests and fuzz targets run in CI.
Project health
- Maintained, Contributors, License, Security-Policy, CII-Best-Practices — all green.
The Gold badge: the hard three
The OpenSSF Best Practices Gold tier is a separate bar, and the last three criteria are the ones most projects stall on. We closed all three:
- Reproducible builds —
-trimpath, deterministic archive flags, and timestamp-free compression mean a clean rebuild of the same version yields a byte-identical binary and tarball. There’s a public recipe to verify it. - Per-file license + copyright — 550+ source files carry an SPDX header, enforced going forward by a linter so it can’t regress.
- 90%+ statement test coverage — we climbed to 90.3% on a published, reviewer-verifiable scope (documented in TESTING.md), up from 41%.
This is the same control set the broader standards bodies ask for — CIS, OWASP CI/CD Top 10, SLSA, and NIST SSDF — folded into one continuously-measured posture rather than a point-in-time audit.
Verify it yourself
That’s the point of picking external, automated standards: you don’t have to take our word for any of this.
- Scorecard: scorecard.dev/viewer/?uri=github.com/simple-container-com/api
- Best Practices: bestpractices.dev/projects/12886
- Reproducible build recipe: rebuild a release and diff the digest against the signed artifact.
What it means for what we build on top
Everything in our stack inherits this foundation. Forge — our AI workflow engine — ships software through sc, which means an agent-driven pipeline ends in the same signed, SBOM-attested, provenance-backed release a human pipeline would. When AI agents are committing and shipping code, a verifiable supply chain stops being a nice-to-have and becomes the only sane default. A perfect Scorecard isn’t a trophy; it’s the floor we want everything above it to stand on.
sc is open source and free to use — the CLI, the encrypted-in-git secrets, and the whole signed release pipeline. Take it for a spin on GitHub, and if you find something we missed, our security policy tells you exactly how to tell us.