Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Google, OpenSSF Update Scorecards Project With New Security Checks

Google’s Open Source security team, in collaboration with the Open Source Security Foundation (OpenSSF) community, today announced an update to the Scorecards project to include more security checks.

Google’s Open Source security team, in collaboration with the Open Source Security Foundation (OpenSSF) community, today announced an update to the Scorecards project to include more security checks.

An automated security tool, the Scorecards project provides risk scores for open source projects, to help users, developers, and enterprises stay informed on the security risks associated with their dependencies, as well as to make informed decisions about them.

With Scorecards, users no longer have to evaluate packages when maintaining a project’s supply chain, as the tool automates the assessment process and provides information on the risks associated with employed dependencies.

Launched in November 2020 with support for software repositories from GitHub only, Scorecards has been scaled to scan more projects and also includes more checks, to help enhance the security of open source projects further.

[Also read: Library Dependencies and the Open Source Supply Chain Nightmare]

Scorecards V2 was released today with a Branch-Protection check to make sure that any code change is reviewed by another developer before it is committed, in an attempt to mitigate the issue of malicious contributors. The GitHub API limitations only allow for a repository admin to run this check at the moment, but the Code-Review check can be used for third-party repositories.

Another new check delivers information on whether a project uses Fuzzing and SAST tools to perform fuzzing and static code analysis and identify vulnerable code early in the development lifecycle.

With the new Token-Permissions prevention check, Scorecards verifies if “GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default,” thus mitigating the risk of an attacker using malicious pull requests to access privileged GitHub tokens and push malicious code to the repo.

A new Binary-Artifacts check is now available to ensure that all dependencies that dependencies use are declared, so that all risks associated with them are known. Additionally, a Frozen-Deps check has been included to mitigate against attacks from malicious dependencies, such as the recent CodeCov incident.

Scorecards also includes an Automated-Dependency-Update check that verifies if an open source project relies on tools such as dependabot or renovatebot to review and update dependencies. A new Vulnerabilities check was also included to gain insight into known vulnerabilities in a project.

To date, Scorecards has been able to assess the security of 50,000 open source projects, but a redesigned architecture can now periodically evaluate critical projects and share the information in a public BigQuery dataset that is updated weekly. The data can be retrieved using the bq command line tool.

Google also included Scorecards data in the newly announced Open Source Insights project, while OpenSSF included it in the Security Metrics project.

Related: Google Expands Open Source Vulnerabilities Database

Related: New Google Tool Helps Developers Visualize Dependencies of Open Source Projects

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...