Google has launched an updated version of Scorecards, its automated safety instrument that produces a “danger rating” for open supply initiatives, with improved checks and capabilities to make the information generated by the utility accessible for evaluation.
“With a lot software program at this time counting on open-source initiatives, customers want a straightforward approach to choose whether or not their dependencies are protected,” Google’s Open Supply Safety Crew said Thursday. “Scorecards helps scale back the toil and handbook effort required to repeatedly consider altering packages when sustaining a challenge’s provide chain.”
Scorecards goals to automate evaluation of the safety posture of open supply initiatives in addition to use the safety well being metrics to proactively enhance the safety posture of different crucial initiatives. To this point, the instrument has been scaled as much as consider safety standards for over 50,000 open supply initiatives.
A number of the new additions embody checks for contributions from malicious authors or compromised accounts that may introduce potential backdoors into code, use of fuzzing (e.g., OSS-Fuzz), and static code evaluation instruments (e.g., CodeQL), indicators of CI/CD compromise, and dangerous dependencies.
“Pinning dependencies is helpful in all places we’ve dependencies: not simply throughout compilation, but additionally in Dockerfiles, CI/CD workflows, and so on,” the staff mentioned. “Scorecards checks for these anti-patterns with the Frozen-Deps test. This test is useful for mitigating in opposition to malicious dependency assaults such because the latest CodeCov assault.”
Google additionally famous that numerous analyzed initiatives usually are not constantly fuzzed, and that neither do they outline a safety coverage for reporting vulnerabilities nor do they pin dependencies, whereas additionally underscoring the necessity to enhance the safety of those crucial initiatives and drive consciousness of the widespread safety dangers.
The discharge of Scorecards v2 comes weeks after the corporate previewed an end-to-end framework known as “Provide chain Ranges for Software program Artifacts” (or SLSA) to make sure the integrity of software program artifacts and stop unauthorized modifications over the course of the event and deployment pipeline.