The Google Security Blog has version 2.0 of Scorecards Sales. The new version of the automated security tool was developed in collaboration with the Open Source Security Foundation (OpenSSF), to whose basic members next to Microsoft, IBM and other companies also pays Google.
Scorecards 2.0 is to say according to Google, which has not now proposed a security framework against supply chain attacks, help identify security risks in open source projects by automatically creating a "risk score". This is to make developers facilitate the work by reducing the effort to carry out manual security conversions for changing packages within a supply chain.
New checks for additional security
Since the first release of the scorecards in autumn, a lot has happened, which concerns the trail of risks. In addition to an extended cover, additional checks are added as part of the Google principle "Know, Prevent, Fix" presented in February, including the new check Branch-Protection. With its help, developers can verify that code reviews are mandatory by another developer before a commit.
Since risky code can be found unnoticed, Google has also included checks whether to use fuzzing and static code analysis tools in the CI / CD system. Other new checks relate to use of Github Actions and the presence of binary artifacts.
So far, the Scorecards tool has a good 50.000 OPEN SOURCE projects analyzed. The evaluation of critical open source projects by scorecards is updated periodically and displayed in a weekly updated public bigquery record. The record is available via the command line Tool BG. For Kubernetes, the Scorecards data can be retrieved as follows:
$ BQ query –nouse_legacy_sql ‘SELECT repo, date, checks from openSSSF.scorecardcron.scorecard_latest where repo ="github.COM / KUBERNETES / KUBERNETES""
Interested parties can replace the URL by their own project. Alternatively, you can retrieve an overview of all analyzed projects, as the Scorecard Repository describes on GitHub.
Currently, 23 developers contribute to scorecards, and further suggestions are available. Further new features are already planned for the future, including Scorecards Badges, which should display a scorecards compliance, as well as integration with CI / CD and Github code scanning results.
All other information about the Scorecards project can be found on Github, where it is under Apache-2.0 license is available.