Skip to content

Overall Risk Assessment

The Overall Risk Assessment (ORA) is intended to give a wide-angled score consistent with the metrics from OSSF to all containers hosted in Iron Bank.


Please refer to the official policy for more details.

Metrics, Weight, and Criteria

Category Description Weight
Maintained A repository is considered actively maintained when it is frequently updated and when vulnerabilities are resolved within a designated time frame. This is a calculated score based on the metrics below.
  Successful Pipelines 
This measures whether a vendor is actively contributing to and fixing findings in their repositories. Pipelines must reach the VAT stage to receive partial credit, otherwise it will not count as running. 5
Vulnerabilities The number of vulnerabilities that have been detected in the last 90 days (rolling window). This is a calculated score based on the metrics below.
  Current Open Vulnerabilities Risk 
This score begins with 100 points and points are subtracted for each open finding based on calculated weights listed in the full documentation. 90
Dependency Update Tool Whether an automated dependency updater tool is used to pull in upstream updates for some or all of the components of the container. If not used, this can be sent to VAT as a "finding", so must be justified by a contributor or vendor. 5