Software provide chain assaults have gotten more and more frequent, and attackers are concentrating on vulnerabilities in dependencies early within the provide chain to amplify the affect of their assaults. Dependency safety may be very a lot within the highlight. It’s essential to remain knowledgeable in regards to the software program initiatives you depend upon. But once you’re a software program developer, you’re possible utilizing quite a lot of code from a lot of totally different sources. It’s an intimidating prospect to attempt to sustain with all of the code you embrace in your personal venture. That’s the place the OpenSSF Scorecard is available in.
The OpenSSF’s Scorecard venture is an automatic instrument that assesses a software program venture’s safety practices and dangers. According to a current report by Sonatype, a Scorecard rating was probably the greatest indicators of whether or not a venture had recognized vulnerabilities. Adopting Scorecard is a superb first step to understanding the reliability of the software program you utilize and enhancing your software program provide chain safety.
Scorecard is a set of benchmarks that means that you can rapidly assess the chance related to a code venture primarily based on greatest safety practices. The aggregated venture rating, starting from 0 to 10, supplies a sign of how severely a venture seems to take safety. This is crucial for figuring out weak factors in your provide chain. A dependency that doesn’t meet your personal inside safety requirements will be the weakest hyperlink in your software program.
Examining the person scores for every of the 19 totally different Scorecard metrics tells you whether or not a venture’s maintainers comply with the practices which can be most essential to you. Does the venture require code evaluate when contributors make adjustments? Are branches protected towards unauthorized deletion or adjustments? Are dependencies pinned, in order that compromised model updates can’t be pushed with out evaluate? The Scorecard’s granularity in scoring particular person greatest practices is just like an excellent restaurant evaluate that solutions the query, “do I want to eat here?” Moreover, Scorecard supplies venture maintainers with a to-do listing of actionable steps to enhance safety.
Open Source Insights
You can use Scorecard to guage another person’s software program, or you should utilize it to enhance your personal.
To see a venture’s rating rapidly, you may go to Open Source Insights. This website makes use of Scorecard knowledge to report on the well being of dependencies. For something not coated on Open Source Insights, you should utilize the Scorecard command-line utility to scan any venture on GitHub, or you may run Scorecard domestically:
$ scorecard --local . --show-details --format json | jq .
You can run Scorecard in your Git server or on native improvement machines and set off it to run with a Git hook.
GitHub Action
If your code is on GitHub, you may add the GitHub Scorecard Action to your repository. The GitHub Action runs a Scorecard scan after any repository change, so that you get speedy suggestions if a PR causes a regression in your venture’s safety. The outcomes present remediation ideas and a sign of severity, enabling you to lift your rating and safe your venture.
(Naveen Srinivasan, CC BY-SA 4.0)
Scorecard API
The Scorecard API is a strong instrument that means that you can assess the rigor of numerous open supply initiatives rapidly and simply. With this API, you may verify the scores of over 1.25 million GitHub repositories which can be scanned weekly. The API supplies a wealth of details about the safety practices of every venture, permitting you to rapidly establish vulnerabilities and take motion to guard your software program provide chain. This knowledge can be used to automate the method of judging software program, making it straightforward to make sure that your software program is all the time safe and updated. Whether you’re a venture proprietor or a client of open supply software program, the Scorecard API is a necessary instrument for making certain the safety and reliability of your code.
When you’ve made progress in enhancing your rating, don’t overlook so as to add a badge to showcase your onerous work.
Currently, the OpenSSF Scorecard is changing into extensively adopted, and as certainly one of its builders, I’m excited in regards to the future. If you strive it out, don’t hesitate to contact us by means of the contact part of the repository and share your suggestions.
Join the Scorecard crowd
The Scorecard crowd is rising, and plenty of customers are already benefiting from the instrument. According to Chris Aniszczyk, CTO of the Cloud Native Computing Foundation, “CNCF uses Scorecards in a variety of its projects to improve security practices across the cloud native ecosystem.”
OpenSSF Scorecard is an automatic and sensible instrument that lets you assess the safety of open supply software program and take steps to enhance your software program provide chain safety. It’s a necessary instrument for making certain that the software program you’re utilizing is secure and dependable.
