Skip to content

Developers: This is Google’s new idea for keeping your open-source projects secure

Scorecards provides an assessment of open-source packages, which developers can use to judge whether they are safe to introduce into their projects or systems.


This new system is intended to help developers assess the risk level of a software package.

Image: iStock

Introducing unknown code into a software can be risky, which is why Google is introducing a new scorecard system to help developers assess the risk of open-source dependencies before introducing them to their systems.

More about Open Source

Scorecards is one of the first projects to have been released under the Open Source Security Foundation (OpenSSF), established in August this year to unite leaders across industries to enhance open-source software (OSS) security. The system is intended to help developers assess the risk level of a software package by automatically generating a ‘security score’ that can aid the decision-making process.

SEE: Git guide for IT pros (free PDF) (TechRepublic)

As explained by Google, scorecards define an initial evaluation criterion that is used to generate a scorecard for an open-source project. Developers can then decide if the package has the appropriate trust and risk level for their use case, and if not, put it through additional evaluation.

Evaluation metrics used to assess packages include a “well-defined” security policy, code review process and continuous test coverage with fuzzing and static-code analysis tools.

Ultimately, scorecards aims to improve visibility in open-source security, coming at a time where attacks on open-source platforms are experiencing an uptick. It should also be a boon to organizations when trying to scale out automated analysis and trust decisions of any new dependencies, Google explained on its Open Source Blog.

At the moment, developers and open-source projects in general are resource-limited, meaning security too often ends up as an afterthought, leaving the door open to risks of attack.

Scorecards is in its early stages of inception, and currently only works with software repositories from GitHub. Kim Lewandowski, Google product manager, said support would be extended to cover other open-source repositories in time.

Lewandowski added: “Using the scorecard data, we want to build a culture of security through improved visibility. We want to work with the community and improve the security health of the critical projects we all depend on.”

Also see