Scorecards logo

The Scorecards project is an automated security tool that produces a “risk score” for open-source projects that just reached version 2 yesterday. 

The new version adds new security checks, a scaled up number of projects being scored and data has been made easily accessible for analysis. 

It was created last fall by the Google Open Source Security Team and the Open Source Security Foundation. 

“Scorecards helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain. Consumers can automatically assess the risks that dependencies introduce and use this data to make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements,” the Google Open Source Security Team said. 

The new checks have been made by following the Know, Prevent, Fix framework proposed by Google earlier this year. 

The branch-protection check enables developers to verify that the project enforces mandatory code review from another developer before code is committed. Third-party repositories can use the less informative Code-Review check instead.

Also, new checks have been added to enable continuous fuzzing and static code analysis to catch bugs early in the development lifecycle. The checks detect if a project uses Fuzzing and SAST tools as part of the CI/CD system. 

To mitigate any potential threats that stem abuse of GitHub Actions, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.

Scorecards also provides Binary-Artifacts to check for widely-used anti-patterns that break the provenance principle and the Frozen-Deps check to check for the ‘curl | bash’ antipattern which dynamically pulls dependencies. 

The project also shows all known vulnerabilities in the new Vulnerabilities check so that users don’t have to subscribe to a vulnerability alert system.