Scorecards, Google’s automated security tool that generates a “risk score” for open source initiatives, has been upgraded with additional checks and features for making the data generated by the utility accessible for analysis.
Google’s Open Source Security Team said Thursday, “With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe,”
“Scorecards helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain.”
Scorecards intends to automate the analysis of security posture of open source projects and to use security health metrics to proactively improve the security posture of other crucial projects. Till now, the tool has now been used to assess security criteria for over 50,000 open source projects.
Checks for malicious authors or compromised accounts that could introduce potential backdoors into code, use of fuzzing (e.g., OSS-Fuzz) and static code analysis tools (e.g., CodeQL), signs of CI/CD compromise, and bad dependencies are just a few of the new features.
The team said “Pinning dependencies is useful everywhere we have dependencies: not just during compilation, but also in Dockerfiles, CI/CD workflows, etc,”
“Scorecards checks for these anti-patterns with the Frozen-Deps check. This check is helpful for mitigating against malicious dependency attacks such as the recent CodeCov attack.”
Google also pointed out that a large number of the analysed projects aren’t constantly fuzzed, also don’t define a security policy for reporting vulnerabilities, and don’t pin dependencies, all of which highlight the need to improve the security of these crucial projects and raise awareness of the widespread security risks.