Google doubles down on program to score the security risk of open source software

Scorecards project helps fumigate the open source software supply chain

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Googleand the Open Source Security Foundation (OpenSSF) have announced a major update to Scorecards, an automated security tool that produces a “risk score” foropen sourceprojects based on a multi-criteria evaluation.

The OpenSSF launched the Scorecards project last fall in a bid to evaluate and identify the security weaknesses in open source projects.

“Today, in collaboration with the Open Source Security Foundation community, we are announcingScorecards v2. We have added new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis,” wrote members of the Google Open Source Security Team in a blog post.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

According to Google, the Scorecards project has evaluated security criteria for over 50,000 open source projects to date. In fact, this data is used by the recently announced GoogleOpen Source Insights projectand is also showcased as part of theOpenSSF Security Metrics project.

New features

With the increased dependency on open source software, the Scorecards project was conceptualized to help reduce the effort required to maintain sanitized software supply chains.

To that end, several new checks have been added following theKnow, Prevent, Fix frameworkGoogle proposed earlier this year.

Scorecards v2 can now verify whether a project enforces mandatory security reviews from other developers before committing the code. The new version of the tool also has checks to detect if a project uses Fuzzing and SAST tools as part of their CI/CD system, since these can be used to catch bugs early in the development lifecycle.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As they run through the new features in Scorecard v2, the Google developers note that the tools’ Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.

Vulnerabilities in open source projects pose a great security threat for all businesses according to arecent survey, and Scorecards v2 will help flag any issues before software is taken up as a dependency.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This dangerous new malware is hitting Windows devices by hiding in games

Windows PCs targeted by new malware hitting a vulnerable driver

Steps to take when your phone number is publicly listed online