Google Scorecards

2021: Announcement of a free open source software tool for holes and obsolete code

In early July 2021, Google released the free Scorecards tool to check open software for holes and outdated code. It checks the code based on OpenSSF library scorecards and issues a "risk assessment" for open source programs.

Only a few organizations include systems to test open source for security issues, but even with sufficient resources, this turns into a tedious and error-prone process. The Scorecards v2 project, which includes new security checks and easier access to data for analysis, should improve security checks. For developers, such a system is invaluable: they will be able to automatically assess risks in order to make informed decisions about including code, finding alternative solutions or making improvements.

Google introduced a free Scorecards tool to check open software for holes and outdated code

The new version has added several new checks and the identification of malicious participants who may enter potential loopholes into the code. Using the new Branch-Protection scan, developers can verify that the project has been validated by another developer before being included in the code library. So far, only the repository administrator can perform this check due to restrictions. API GitHub

But even if developers and partners have made every effort to organize a safe space, bad code can get into the base and go unnoticed. Google notes the need for continuous phasing and static testing of code to help identify errors in the early stages of the development lifecycle. The Scorecards project checks whether phasing and SAST tools were used when code was included in the library. Scorecard also verifies that workflows GitHub follow the principle of minimum privileges, making tokens GitHub read-only by default. This prevents the attacker from accessing the privileged GitHub token, and with it the ability to send malicious code to the repository without checking.^[1]

Notes