The Scorecards project is an automated security tool that produces a “risk score” for open-source projects that just reached version 2 yesterday.
The new version adds new security checks, a scaled-up number of projects being scored, and data has been made easily accessible for analysis. It was created last fall by the Google Open Source Security Team and the Open Source Security Foundation.
“Scorecards help reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain. Consumers can automatically assess the risks that dependencies introduce and use this data to make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements,” the Google Open Source Security Team said.
The new checks have been made by following Google’s Know, Prevent, Fix framework earlier this year. The branch-protection check lets developers verify that the project enforces a mandatory code review from another developer before the code is committed. Third-party repositories can use the less informative Code-Review statement instead.
Also, new checks have been added to enable continuous fuzzing and static code analysis to catch bugs early in the development lifecycle. The checks detect if a project uses Fuzzing and SAST tools as part of the CI/CD system.
To mitigate any potential threats that stem abuse of GitHub Actions, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.
Scorecards also provide Binary-Artifacts to check for widely-used antipatterns that break the provenance principle. The Frozen-Deps check to check for the ‘curl | bash’ antipattern, which dynamically pulls dependencies.
The project also shows all known vulnerabilities in the new Vulnerability check so that users don’t have to subscribe to a vulnerability alert system.