These 20 metrics ensure visibility, compliance, and accountability in managing open source dependencies.
Getting open source package management right is no longer optional — it’s a core measure of engineering maturity and security diligence. While teams often focus on patching critical vulnerabilities, executive leadership needs a broader, objective view of risk and efficiency. You can move beyond simply reporting “vulnerabilities mitigated” by establishing a data-driven security program. Below are 20 essential metrics that provide a comprehensive, actionable picture of your team’s governance, compliance, maintenance, and overall reliance on the open source ecosystem. Use these to move from reactive defense to proactive, strategic risk management.
Security & Vulnerability Metrics
1. Critical Vulnerability Remediation Rate
Formula: (Critical vulns resolved within 7 days ÷ Total critical vulns found) × 100
Goal: ≥ 90%
Criticality: 🔴 Critical
2. High Vulnerability Remediation Rate
Formula: (High vulns resolved within 30 days ÷ Total high vulns found) × 100
Goal: ≥ 85%
Criticality: 🔴 Critical
3. Mean Time to Remediate (MTTR)
Formula: Sum of remediation times ÷ Total vulns
Goal: < 15 days
Criticality: 🔴 Critical
4. Vulnerability Aging
Formula: Average days vulnerabilities remain open
Goal: < 10 days for High severity
Criticality: 🟡 Nice-to-Have
5. Vulnerabilities per Project
Formula: Total vulnerabilities ÷ Total projects analyzed
Goal: < 2 per project
Criticality: 🔴 Critical
6. Unpatched Dependency Ratio
Formula: (Dependencies with available updates ÷ Total dependencies) × 100
Goal: < 20%
Criticality: 🔴 Critical
7. Transitive Vulnerability Ratio
Formula: (Transitive vulns ÷ Total vulns) × 100
Goal: < 50%
Criticality: 🟡 Nice-to-Have
⚖️ License & Compliance Metrics
8. License Compliance Rate
Formula: (Dependencies with approved licenses ÷ Total dependencies) × 100
Goal: ≥ 95%
Criticality: 🔴 Critical
9. Denied License Violations
Formula: Count of dependencies using GPL, AGPL, LGPL, or Unlicensed code
Goal: 0
Criticality: 🔴 Critical
10. Pending Legal Review Packages
Formula: Count of dependencies pending Legal approval
Goal: ≤ 2 per quarter
Criticality: 🟡 Nice-to-Have
11. License Drift
Formula: (Packages with license changes ÷ Total dependencies) × 100 since last audit
Goal: < 5%
Criticality: 🟡 Nice-to-Have
12. Dependency Provenance Verified
Formula: (Dependencies verified via Sigstore/SLSA ÷ Total dependencies) × 100
Goal: ≥ 85%
Criticality: 🔴 Critical
⚙️ Dependency Health & Maintenance Metrics
13. Outdated Dependency Ratio
Formula: (Dependencies >1 major version behind ÷ Total dependencies) × 100
Goal: < 15%
Criticality: 🔴 Critical
14. Inactive Package Ratio
Formula: (Dependencies with no commits >6 months ÷ Total dependencies) × 100
Goal: < 10%
Criticality: 🔴 Critical
15. Internal Package Adoption Rate
Formula: (Internal approved packages used ÷ Total dependencies) × 100
Goal: ≥ 60%
Criticality: 🟢 Nice-to-Have
16. Fork Maintenance Score
Formula: % of internal forks synced with upstream in last 90 days
Goal: ≥ 75%
Criticality: 🟡 Nice-to-Have
17. Dependency Review Cadence
Formula: Average time between dependency reviews per repo
Goal: ≤ 6 months
Criticality: 🟡 Nice-to-Have
🧭 Process & Governance Metrics
18. SCA Enforcement Coverage
Formula: (Projects with active SCA scanning ÷ Total projects) × 100
Goal: 100%
Criticality: 🔴 Critical
19. Policy Violation Count
Formula: Total CI/CD build failures due to Denied packages or licenses
Goal: 0
Criticality: 🔴 Critical
20. Exception Duration Compliance
Formula: (Exceptions resolved within approved timeframe ÷ Total exceptions) × 100
Goal: ≥ 90%
Criticality: 🔴 Critical
🎯 Dashboard Targets for the Year
- License Compliance ≥ 95%
- Critical Vulns Resolved in < 7 Days
- Provenance Verified ≥ 85%
- Inactive Packages < 10%
- SCA Coverage = 100%
Let me know if this has been helpful for you. Have I missed anything important to you? Let me know.
I share lessons from decades in software delivery — from CI/CD to architecture governance. If you’re tackling similar challenges and want a seasoned perspective, I’m available for consulting.
