Google, in collaboration with the Open Source Security Foundation community, has launched an updated version of Scorecards —— its automated security tool that produces a “risk score” for open source projects. The new version features improved security checks, following the Know, Prevent, Fix framework proposed by Google earlier this year, to make the data easily accessible for analysis.
With the new Branch-Protection check, developers can verify that the project enforces mandatory code review from another developer before code is committed. Currently, this check can only be run by a repository admin due to GitHub API limitations. For a third-party repository, the team recommends using the less informative Code-Review check instead.
Google has also added checks to detect if a project uses Fuzzing and SAST tools as part of their CI/CD system. Moreover, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.
It is important to know vulnerabilities in a project before uptaking it as a dependency. Scorecards can provide this information via the new Vulnerabilities check, without the need to subscribe to a vulnerability alert system.
Scorecards data for available projects is now included in the recently announced Google Open Source Insights project and also showcased in OpenSSF Security Metrics project. The data on these sites shows that there are still important security gaps to fill, even in widely used packages like Kubernetes.