Google, OpenSSF Update Scorecards Project With New Security Checks
Google’s Open Source security team, in collaboration with the Open Source Security Foundation (OpenSSF) community, today announced an update to the Scorecards project to include more security checks.
An automated security tool, the Scorecards project provides risk scores for open source projects, to help users, developers, and enterprises stay informed on the security risks associated with their dependencies, as well as to make informed decisions about them.
With Scorecards, users no longer have to evaluate packages when maintaining a project’s supply chain, as the tool automates the assessment process and provides information on the risks associated with employed dependencies.
Launched in November 2020 with support for software repositories from GitHub only, Scorecards has been scaled to scan more projects and also includes more checks, to help enhance the security of open source projects further.
Scorecards V2 was released today with a Branch-Protection check to make sure that any code change is reviewed by another developer before it is committed, in an attempt to mitigate the issue of malicious contributors. The GitHub API limitations only allow for a repository admin to run this check at the moment, but the Code-Review check can be used for third-party repositories.
Another new check delivers information on whether a project uses Fuzzing and SAST tools to perform fuzzing and static code analysis and identify vulnerable code early in the development lifecycle.
With the new Token-Permissions prevention check, Scorecards verifies if “GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default,” thus mitigating the risk of an attacker using malicious pull requests to access privileged GitHub tokens and push malicious code to the repo.
A new Binary-Artifacts check is now available to ensure that all dependencies that dependencies use are declared, so that all risks associated with them are known. Additionally, a Frozen-Deps check has been included to mitigate against attacks from malicious dependencies, such as the recent CodeCov incident.
Scorecards also includes an Automated-Dependency-Update check that verifies if an open source project relies on tools such as dependabot or renovatebot to review and update dependencies. A new Vulnerabilities check was also included to gain insight into known vulnerabilities in a project.
To date, Scorecards has been able to assess the security of 50,000 open source projects, but a redesigned architecture can now periodically evaluate critical projects and share the information in a public BigQuery dataset that is updated weekly. The data can be retrieved using the bq command line tool.
Google also included Scorecards data in the newly announced Open Source Insights project, while OpenSSF included it in the Security Metrics project.