Google and the Open Source Security Foundation (OpenSSF) have announced a major update to Scorecards, an automated security tool that produces a “risk score” for open source projects based on a multi-criteria evaluation.
The OpenSSF launched the Scorecards project last fall in a bid to evaluate and identify the security weaknesses in open source projects.
“Today, in collaboration with the Open Source Security Foundation community, we are announcing Scorecards v2. We have added new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis,” wrote members of the Google Open Source Security Team in a blog post.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
According to Google, the Scorecards project has evaluated security criteria for over 50,000 open source projects to date. In fact, this data is used by the recently announced Google Open Source Insights project and is also showcased as part of the OpenSSF Security Metrics project.
New features
With the increased dependency on open source software, the Scorecards project was conceptualized to help reduce the effort required to maintain sanitized software supply chains.
To that end, several new checks have been added following the Know, Prevent, Fix framework Google proposed earlier this year.
Scorecards v2 can now verify whether a project enforces mandatory security reviews from other developers before committing the code. The new version of the tool also has checks to detect if a project uses Fuzzing and SAST tools as part of their CI/CD system, since these can be used to catch bugs early in the development lifecycle.
As they run through the new features in Scorecard v2, the Google developers note that the tools’ Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.
Vulnerabilities in open source projects pose a great security threat for all businesses according to a recent survey, and Scorecards v2 will help flag any issues before software is taken up as a dependency.