Google and its co-members at the Open Source Security Foundation have announced a major update to their open source security Scorecards project, with an automated security tool that generates a “risk score” for open-source software projects.
Other updates include a new branch-protection check, which developers can use to verify that the open source project they wish to use has a mandatory code review process in place from another developer. This is to ensure that bad actors with malicious intent don’t introduce backdoors to a codebase. Scorecards also now also includes checks to see whether a project uses fuzzing and SAST tools in their CI/CD process, which should help prevent vulnerabilities from entering a codebase.
Scorecards is one of the first projects being released under the OpenSSF since its inception in August, 2020. Scorecards aims to automate analysis of the security posture of open source projects as well as use the security health metrics to proactively improve the security posture of other critical projects. To date, the tool has been scaled up to evaluate security criteria for over 50,000 open source projects.
The release of Scorecards comes weeks after the company previewed an end-to-end framework called Supply Chain Levels for Software Artifacts to ensure the integrity of software artifacts and prevent unauthorized modifications over the course of the development and deployment pipeline.