SupplyChainSecurityCon 2022

Open source demand continues to explode. Developers worldwide will request open-source packages, representing a 73% YoY growth in developer downloads of open source components. Yet, even though projects have their code open-source, the processes used to run, test, and maintain these are less known. For example, do you know if the log4j project has code reviews to reduce the likelihood of dangerous code being introduced in the codebase? How about the npm-color project? This lack of transparency makes it challenging for project consumers, including large companies, to assess the risk and make informed decisions about their use and maintenance of open-source components. In this talk, we will introduce a tool developed by the OpenSSF: Scorecards. Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of a project or a dependency. Since it's v4 release in January 2022, Scorecards has been installed on over 800 GitHub repositories as of March 2022, and is recommended by the GitHub documentation to harden workflows.

Dates

Author

Conferences

Tags

Assessing the Risk of Open-source Components Using OpenSSF's Scorecard

tldr - powered by Generative AI