Github and Google have announced version 4 of the Open Source Security Foundation (OpenSSF) Scorecard Project. It offers new security checks, a Scorecards GitHub action, and a major expansion to the project’s weekly scans of critical open source projects.
OpenSSF originally launched the Scorecard Project in 2020. The plan was to offer an automated security tool that creates security ratings for open-source projects and reduces the labor needed to maintain them securely.
The tool provides a series of automatic scans that reviews a project’s security practices. They check for common vulnerabilities and security issues, like checked-in binaries or a lack of cryptographically signed releases.
Since the launch of Scorecards V2 in mid-2020, the project has “grown steadily to over 40 unique contributors and 18 implemented security checks,” according to a post on the V4 launch from Google Online Security Blog.
What Does Scorecards V4 Change for the Open Source Community?
One of the most significant changes in V4 is likely the new GitHub action. Open-source developers use it to automate the process of determining security impacts of any project changes. This usually has to be done manually, meaning it could help save time and ensure developers consider the security implications of each shift.
The action can be used in any public repository by following precise directions from the GitHub team.
The new security checks are also helpful for developers. The V4 adds a handful of additional security checks, according to the OpenSSF blog post on security changes in the new version. They include the license check, “which detects the presence of a project license,” and the Dangerous-Workflow check, “which detects dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows.”
According to the OpenSSF team, the Dangerous-Workflow check is the first one in the project to have a “Critical” risk level rating due to how easily an attacker can exploit these vulnerabilities. The new check informs developers of these issues and provides guidance on how they can be patched. This is a vital step in ensuring open-source software users keep their projects secure from hackers.
Scorecards V4 also greatly expands the project’s weekly scans of important open-source projects. In the months leading up to the launch, the Scorecards team increased the scale of scans from 50,000 to 1 million projects. They were selected based on their likely importance using their number of direct dependencies.
V4 also changes what information these scans provide. Instead of the pass-fail system previously used, V4 now grades scanned projects on a 1 to 10 scale for each repository. Scan results are available publicly through the Scorecards API or the OpenSSF metrics dashboard.
Scorecards V4 May Help Shore up Open Source Security
The new tools available in V4 will help developers of open-source projects ensure security much more easily. This protects the open-source community and the end-users of apps, services, and platforms that depend on its utilities.
The general public is becoming savvier when it comes to cybersecurity. Around 84% of smartphone users list privacy and security as critical factors they consider before installing new apps. However, the wrong development practices can leave them vulnerable to attacks.
Recent open-source security failures, like the log4j vulnerability discovered in January, have demonstrated that open-source security is more important than ever — and potentially a national security issue. At the same time, open-source developers often donate time and resources to the projects they work on.
A project like Scorecards helps developers automate some of the labor-intensive aspects of open source security. These new checks and scans could help make security in open-source development much more feasible for project creators.
New Version of OpenSSF Scorecards Provides Security Tools for Open Source Developers
Open-source tools and projects are more important to cybersecurity than ever before. Significant exploits or vulnerabilities can threaten a massive number of individuals and major organizations.
Implementing good security practices can be challenging, especially for open-source developers who are not necessarily receiving compensation for maintaining their projects. Tools like OpenSSF Scorecards can help automate some manual tasks needed to maintain a project’s security. Developers and the end-users that depend on open-source projects will gain significant safety benefits from these tools.