Single-dependency risk verdict

Third-Party Component Risk Scorecard

Score one component on eight weighted axes - maintenance, provenance, OSSF posture, CVEs, license, origin, AI training-data provenance, and medical-device fit. Get a go / caution / no-go verdict and a rationale you can paste into your design history file.

Reviewed by

Christian Espinosa

Founder & CEO, Blue Goat Cyber

Last reviewed June 17, 2026

Component name

Version

Context (optional)

Maintenance health

weight 15

Release cadence, issue triage, maintainer count

Build provenance & signing

weight 15

Is the artifact signed and tied to source?

OSSF Scorecard / security posture

weight 10

Public security posture (CII/OSSF Scorecard or equivalent)

Known CVEs

weight 15

Open / recent CVEs against this version

License compatibility

weight 10

License vs. your distribution model

Origin & sanctions exposure

weight 10

Maintainer geography and sanctions risk

AI training-data provenance (for AI/ML libs)

weight 10

If this is an AI/ML model or framework

Fit for medical-device use

weight 15

Does the project intend to be used in safety-critical systems?

What you'll see after you submit

Eight weighted axes → one go / caution / no-go verdict

Covers what reviewers, procurement, and security all care about - in one artifact.
Axes weighted by impact on safety and supply-chain risk, not equally.
Output is paste-ready for your design history file or supplier-onboarding record.

Common misconceptions

What teams usually get wrong

Myth: License is the only third-party-component concern.

Reality: License is necessary but not sufficient. Maintainer health, signing, CVE posture, and origin all drive real supply-chain risk.
Myth: OSSF Scorecard is enough on its own.

Reality: Scorecard captures repo hygiene. It does not capture fit-for-purpose, license risk, or sanctions exposure.

References & further reading