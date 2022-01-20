



The Open Source Security Foundation (OpenSSF), GitHub, and Google announced the release of Scorecard V4 on Wednesday. This includes new scorecard GitHub actions that facilitate greater scaling, new security checks, and security automation.

OpenSSF will release a scorecard in November 2020 to generate a “risk score” for open source projects and the effort and effort required to continuously evaluate package changes in maintaining the project’s supply chain. We have created an automatic security tool that reduces your work.

Since Google and OpenSSF announced Scorecards V2 in July 2021, the Scorecards project has grown steadily, with over 40 unique contributors and 18 implemented security checks.

Released in partnership with GitHub, Scorecards Action automates the process of determining if changes to a project have impacted security. Previously, such tasks had to be performed manually.

Actions are available from the GitHub marketplace and are free to use. You can install it in any public repository by following these instructions.

“Since the July announcement of Scorecards V2, the Scorecards project, an automated security tool that flags high-risk supply chain practices for open source projects, has steadily achieved 18 unique contributors and 18 implemented security checks. A new scorecard that facilitates scaling, new security checks, and security automation “GitHub Action,” said Laurent Simon and Azeem Shaikh, members of the Google Open Source Security Team.

“Scorecard actions are released in partnership with GitHub and are available from the GitHub marketplace. This action makes using scorecards easier than ever. It happens automatically when you change the repository. Warn developers about high-risk supply chain practices. Maintainers can view alerts in GitHub code. Scan Dashboard. Available for free through GitHub Advanced Security in public and private repositories on GitHub.com. . “

They added that they scaled their weekly scorecard scans to over 1 million GitHub repositories and partnered with the Open Source Insights website to make data easier for users to access.

Google

The Open Source Security Foundation is a blog post and the world is running on open source software, but many open source projects do not enable branch protection, do not fix dependencies, do not enable automatic dependency updates. And so on, he explained that he was involved in at least one dangerous operation.

“The scorecard makes it easy to evaluate before consuming the package. Performing a scan with a single line of code evaluates the individual security practices (“checks”) of the project, with individual scores from 0 to 10. Will return the total score for the entire project. Security. With today’s release of Scorecards GitHub Action, it’s easier than ever for developers to understand their security structure, “the organization said.

“The newScorecards GitHub action automates this process. Once installed, the action will perform a scorecard scan after changing the repository. The maintainer will display a security alert on the GitHub scan dashboard and the risks introduced by the change. You can modify certain supply chain practices. “

All alerts will now include the severity of the risk, the file and line where the problem occurred, and the corrective steps to fix the problem. The latest release also adds a license check to detect the existence of project licenses and a dangerous workflow check to detect dangerous usage of Pull_request_targettrigger and risk of script injection in GitHub workflows.

Many open source projects such as Envoy, distroless, cosign, rekor, and kaniko have already adopted scorecard actions.

“Scorecards provide the ability to quickly litmus test new dependencies on Envoy projects,” said Harvey Tuch of Envoy.

“This is a valuable step in validating new dependencies for well-known attributes, and we have integrated the scorecard into the dependency acceptance criteria. Machine-checkable properties are a healthy security process. It’s an important part. “

