The latest Google Scorecards Tool will scan open-source software for more security risks. The automated security tool will produce risk scores for open source software with its improved checks and capabilities making the data generated by the utility accessible for analysis.
According to Google’s open-source security team in a blog said, “With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe. Scorecards help to reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain.”
Scorecards focus to automate the analysis of the security posture of open source projects. It uses the security health metrics to proactively improve the security posture of other critical projects. Now the tool is updated to evaluate security criteria for over 50,000 open source projects.
The latest version includes checks for contributions from malicious authors or compromised accounts that can introduce potential backdoors into code. Other additions include the use of fuzzing (e.g., OSS-Fuzz), and static code analysis tools (e.g., CodeQL), signs of CI/CD compromise, and bad dependencies.
The blog further mentioned, “Pinning dependencies is useful everywhere we have dependencies: not just during compilation, but also in Dockerfiles, CI/CD workflows, etc. Scorecards checks for these anti-patterns with the Frozen-Deps check. This check is helpful for mitigating against malicious dependency attacks such as the recent CodeCov attack.”
According to Google, a large number of analyzed projects are not continuously fuzzed. There is also no defined security policy for reporting vulnerabilities nor do they pin dependencies. While underscoring the need to improve the security of these critical projects and drive awareness of the widespread security risks.
A few weeks earlier Google previewed an end-to-end framework called “Supply chain Levels for Software Artifacts” (or SLSA) to ensure the integrity of software artifacts and prevent unauthorized modifications over the course of the development and deployment pipeline. The release of Scorecards v2 just goes to show how Google is taking security more seriously.