Google doubles down on program to score the security risk of open source software

News
By published

Scorecards project helps fumigate the open source software supply chain

security
(Image credit: Shutterstock)

Google and the Open Source Security Foundation (OpenSSF) have announced a major update to Scorecards, an automated security tool that produces a “risk score” for open source projects based on a multi-criteria evaluation.

The OpenSSF launched the Scorecards project last fall in a bid to evaluate and identify the security weaknesses in open source projects.

“Today, in collaboration with the Open Source Security Foundation community, we are announcing Scorecards v2. We have added new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis,” wrote members of the Google Open Source Security Team in a blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

According to Google, the Scorecards project has evaluated security criteria for over 50,000 open source projects to date. In fact, this data is used by the recently announced Google Open Source Insights project and is also showcased as part of the OpenSSF Security Metrics project.

New features

With the increased dependency on open source software, the Scorecards project was conceptualized to help reduce the effort required to maintain sanitized software supply chains.

To that end, several new checks have been added following the Know, Prevent, Fix framework Google proposed earlier this year.

Scorecards v2 can now verify whether a project enforces mandatory security reviews from other developers before committing the code. The new version of the tool also has checks to detect if a project uses Fuzzing and SAST tools as part of their CI/CD system, since these can be used to catch bugs early in the development lifecycle.

As they run through the new features in Scorecard v2, the Google developers note that the tools’ Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.

Vulnerabilities in open source projects pose a great security threat for all businesses according to a recent survey, and Scorecards v2 will help flag any issues before software is taken up as a dependency.

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
An Android phone being held in the hand
Google is ramping up Android security protection with new Android app safety tools
A hand reaching out to touch a futuristic rendering of an AI processor.
Google Cloud unveils new AI Protection security tools, no matter which model you use
Holographic representation of cloud computing over open businessman&#039;s hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
Security
Removing software supply chain blind spots that put public sector organizations at risk
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24&#039;s Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan&#039;s animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
ChatGPT search extension in Chrome.

What is Rawbot? Everything we know about the AI comparison tool

See more latest
Most Popular
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Gemma staring at something off-camera in Severance season 2 episode 10
'Everyone is going to be so torn': Severance star Dichen Lachman reacts to the popular Apple TV+ show's most 'intense' season 2 finale event
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24&#039;s Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Saturday, March 22 (game #384)