What is Open SSF Scorecard
OpenSSF Scorecard is an initiative by the Open Source Security Foundation (OpenSSF) that evaluates the security practices of open-source projects. It provides an automated tool and a set of best practices to help developers and organizations assess the security health of an open-source project.
What are the metrics evaluated.
The scorecard evaluates various dimensions of security, such as:
- Branch Protection: Ensures changes are reviewed before being merged.
- Dependency Updates: Checks whether dependencies are actively updated.
- Vulnerability Detection: Looks at how issues like vulnerabilities are tracked and addressed.
- Security Policies: Assesses the presence of a well-defined security policy for reporting vulnerabilities.
- Code Review: Verifies if code changes are peer-reviewed.
How Does OpenSSF Scorecard Help in Securing Open-Source Libraries?
How Does OpenSSF Scorecard Help in Securing Open-Source Libraries?
Improved Visibility of Risks:
- Provides a transparent view of a project’s security posture.
- Identifies potential weaknesses, such as unreviewed changes or outdated dependencies.
Guidance on Best Practices:
- Encourages adoption of secure coding practices and modern tools.
- Highlights specific actions to improve security, such as enabling automated dependency updates.
Enhanced Trustworthiness:
- A high score indicates the project is actively maintained and follows secure practices, making it safer to integrate.
Continuous Monitoring:
- The tool can be run periodically to monitor the security status of dependencies over time.
Informed Decision-Making:
- Developers and organizations can prioritize libraries with higher scores when selecting dependencies.
How to Use OpenSSF Scorecard
- Install the Tool:
- Available via GitHub as a command-line tool.
- Example command:
scorecard --repo=github.com/<project>
- Review Results:
- Analyze the detailed report to identify strengths and areas for improvement.
- Integrate into CI/CD:
- Automate security checks by integrating the tool into your CI/CD pipelines.
Details of the checks.
| Name | Description | Risk Level | Token Required | GitLab Support | Note |
|---|---|---|---|---|---|
| Binary-Artifacts | Is the project free of checked-in binaries? | High | PAT, GITHUB_TOKEN | Supported | |
| Branch-Protection | Does the project use Branch Protection? | High | PAT (repo or repo > public_repo), GITHUB_TOKEN | Supported (see notes) | Certain settings are only supported with a maintainer PAT |
| CI-Tests | Does the project run tests in CI, e.g. GitHub Actions, Prow? | Low | PAT, GITHUB_TOKEN | Supported | |
| CII-Best-Practices | Has the project earned an OpenSSF (formerly CII) Best Practices Badge? | Low | PAT, GITHUB_TOKEN | Validating | |
| Code-Review | Does the project practice code review before code is merged? | High | PAT, GITHUB_TOKEN | Validating | |
| Contributors | Does the project have contributors from at least two different organizations? | Low | PAT, GITHUB_TOKEN | Validating | |
| Dangerous-Workflow | Does the project avoid dangerous coding patterns in GitHub Action workflows? | Critical | PAT, GITHUB_TOKEN | Unsupported | |
| Dependency-Update-Tool | Does the project use tools to help update its dependencies? | High | PAT, GITHUB_TOKEN | Unsupported | |
| Fuzzing | Does the project use fuzzing tools, e.g. OSS-Fuzz, QuickCheck, or fast-check? | Medium | PAT, GITHUB_TOKEN | Validating | |
| License | Does the project declare a license? | Low | PAT, GITHUB_TOKEN | Validating | |
| Maintained | Is the project at least 90 days old, and maintained? | High | PAT, GITHUB_TOKEN | Validating | |
| Pinned-Dependencies | Does the project declare and pin dependencies? | Medium | PAT, GITHUB_TOKEN | Validating | |
| Packaging | Does the project build and publish official packages from CI/CD? | Medium | PAT, GITHUB_TOKEN | Validating | |
| SAST | Does the project use static code analysis tools, e.g. CodeQL or SonarCloud? | Medium | PAT, GITHUB_TOKEN | Unsupported | |
| Security-Policy | Does the project contain a security policy? | Medium | PAT, GITHUB_TOKEN | Validating | |
| Signed-Releases | Does the project cryptographically sign releases? | High | PAT, GITHUB_TOKEN | Validating | |
| Token-Permissions | Does the project declare GitHub workflow tokens as read-only? | High | PAT, GITHUB_TOKEN | Unsupported | |
| Vulnerabilities | Does the project have unfixed vulnerabilities? Uses the OSV service. | High | PAT, GITHUB_TOKEN | Validating | |
| Webhooks | Does the webhook defined in the repository have a token configured? | Critical |