Software supply chain attacks are becoming increasingly common, and attackers are targeting vulnerabilities in dependencies early in the supply chain to amplify the impact of their attacks. Dependency security is very much in the spotlight. It’s important to stay informed about the software projects you rely upon. But when you’re a software developer, you’re likely using a lot of code from lots of different sources. It’s an intimidating prospect to try to keep up with all the code you include in your own project. That’s where the OpenSSF Scorecard comes in.
The OpenSSF’s Scorecard project is an automated tool that assesses a software project’s security practices and risks. According to a recent report by Sonatype, a Scorecard score was one of the best indicators of whether a project had known vulnerabilities. Adopting Scorecard is a great first step to understanding the reliability of the software you use and improving your software supply chain security.
Scorecard is a set of benchmarks that allows you to quickly assess the risk associated with a code project based on best security practices. The aggregated project score, ranging from 0 to 10, provides an indication of how seriously a project appears to take security. This is critical for identifying vulnerable points in your supply chain. A dependency that doesn’t meet your own internal security standards may be the weakest link in your software.
Examining the individual scores for each of the 19 different Scorecard metrics tells you whether a project’s maintainers follow the practices that are most important to you. Does the project require code review when contributors make changes? Are branches protected against unauthorized deletion or changes? Are dependencies pinned, so that compromised version updates cannot be pushed without review? The Scorecard’s granularity in scoring individual best practices is similar to a good restaurant review that answers the question, “do I want to eat here?” Moreover, Scorecard provides project maintainers with a to-do list of actionable steps to improve security.
Open Source Insights
You can use Scorecard to evaluate someone else’s software, or you can use it to improve your own.
To see a project’s score quickly, you can visit Open Source Insights. This site uses Scorecard data to report on the health of dependencies. For anything not covered on Open Source Insights, you can use the Scorecard command-line utility to scan any project on GitHub, or you can run Scorecard locally:
$ scorecard --local . --show-details --format json | jq .
You can run Scorecard on your Git server or on local development machines and trigger it to run with a Git hook.
If your code is on GitHub, you can add the GitHub Scorecard Action to your repository. The GitHub Action runs a Scorecard scan after any repository change, so you get immediate feedback if a PR causes a regression in your project’s security. The results provide remediation tips and an indication of severity, enabling you to raise your score and secure your project.
The Scorecard API is a powerful tool that allows you to assess the rigor of a large number of open source projects quickly and easily. With this API, you can check the scores of over 1.25 million GitHub repositories that are scanned weekly. The API provides a wealth of information about the security practices of each project, allowing you to quickly identify vulnerabilities and take action to protect your software supply chain. This data can also be used to automate the process of judging software, making it easy to ensure that your software is always secure and up to date. Whether you’re a project owner or a consumer of open source software, the Scorecard API is an essential tool for ensuring the security and reliability of your code.
When you’ve made progress in improving your score, don’t forget to add a badge to showcase your hard work.
Currently, the OpenSSF Scorecard is becoming widely adopted, and as one of its developers, I’m excited about the future. If you try it out, don’t hesitate to contact us through the contact section of the repository and share your feedback.
Join the Scorecard crowd
The Scorecard crowd is growing, and many users are already benefiting from the tool. According to Chris Aniszczyk, CTO of the Cloud Native Computing Foundation, “CNCF uses Scorecards in a variety of its projects to improve security practices across the cloud native ecosystem.”
OpenSSF Scorecard is an automated and practical tool that enables you to assess the security of open source software and take steps to improve your software supply chain security. It’s an essential tool for ensuring that the software you’re using is safe and reliable.