OpenSSF Scorecard - Security health metrics for Open Source
Go to file
Aiden Wang 64cd05310b
Support user-defined fuzz functions (GoLang) in fuzzing check (#1979)
* temp save 05262022

* finished golang fuzz func check, getLang interface to be done next week

* temp save 05/31/2022

* temp save 06/01/2022

* temp save-2 06/01/2022

* temp save-1 06032022

* temp save-2 06022022

* temp save

* temp save 06032022

* temp save 06032022 (2)

* update err def

* temp save 3

* update docs for fuzzing

* update docs for fuzzing

* update checks.yaml to gen docs

* temp save 0606

* temp save-2 0606

* temp save-3 0606

* temp save-4 0606

* fix linter errors

* fix linter errs-2

* fix e2e errors

* 0608

* 0608-2

Co-authored-by: Aiden Wang <aidenwang@google.com>
2022-06-08 19:17:51 -07:00
.github SLSA provenance/build (#1702) 2022-06-08 09:54:09 -07:00
artwork Add and use compressed Scorecard logos (#1492) 2022-01-19 18:08:35 +00:00
checker Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
checks Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
clients Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
cloudbuild Fix bug in Scorecard tag Docker image creation (#1890) 2022-05-06 20:38:19 +00:00
cmd 📖 Fix command Usage (#1814) 2022-05-09 10:23:13 -04:00
cron Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
docs Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
e2e Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
errors Only run allowed checks in different modes (#1579) 2022-02-07 16:49:49 -08:00
log Split NewLogger into two so we can use a custom logrus instance. 2022-04-13 11:31:06 -05:00
options 🐛 Remove Options that belong to the Action (#1898) 2022-05-09 19:40:15 +00:00
pkg Support user-defined fuzz functions (GoLang) in fuzzing check (#1979) 2022-06-08 19:17:51 -07:00
policy Miscellaneous refactors to ease downstream consumption (#1645) 2022-02-27 02:09:21 +00:00
remediation Raw results for Pinned-Dependencies (#1932) 2022-06-06 14:31:22 -07:00
scripts pkg: refactor out scorecard_version 2022-05-10 09:51:55 -05:00
stats Remove Repo CPU runtime stat logging (#1186) 2021-10-29 04:37:44 +00:00
tools 🌱 Bump github.com/golangci/golangci-lint in /tools (#1924) 2022-05-22 14:53:42 +00:00
utests Raw results for Pinned-Dependencies (#1932) 2022-06-06 14:31:22 -07:00
.codecov.yml 🌱 Ignore mock clients for code coverage 2022-03-09 14:21:20 -06:00
.gitignore Move the cron job to internal package (#1960) 2022-05-25 15:37:22 -07:00
.golangci.yml 🌱 Bump github.com/golangci/golangci-lint from 1.44.2 to 1.45.0 in /tools (#1757) 2022-03-23 02:23:39 +00:00
.goreleaser.yml SLSA provenance/build (#1702) 2022-06-08 09:54:09 -07:00
.ko.yaml 🐛 Fix ko build workflows in Makefile (#1392) 2021-12-15 10:35:07 -06:00
.slsa-goreleaser.yml SLSA provenance/build (#1702) 2022-06-08 09:54:09 -07:00
CODE_OF_CONDUCT.md updating code of conduct to match ossfs (#42) 2020-11-05 14:13:16 -06:00
codeql.js 🌱 Included codeql check for GitHub Actions (#988) 2021-09-09 23:02:11 +00:00
CONTRIBUTING.md Fix cron related documentation (#1986) 2022-06-07 20:12:28 +02:00
Dockerfile 🌱 Bump distroless/base from 764b74b to d65ac1a 2022-05-20 01:41:04 +00:00
go.mod 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 2022-05-31 11:35:07 +00:00
go.sum Raw results for Pinned-Dependencies (#1932) 2022-06-06 14:31:22 -07:00
LICENSE Add license header and code of conduct files. (#34) 2020-10-26 15:22:13 -05:00
main.go cmd: Allow new scorecard to be instantiated with options (#1703) 2022-03-03 01:38:34 +00:00
Makefile Move the cron job to internal package (#1960) 2022-05-25 15:37:22 -07:00
README.md SLSA provenance/build (#1702) 2022-06-08 09:54:09 -07:00
SECURITY.md Add SECURITY.md 2021-02-13 14:53:06 -05:00

Security Scorecards

OpenSSF Best Practices build CodeQL Go Reference Go Report Card codecov Slack

Overview

Using Scorecards

Checks

Contribute



Overview

What is Scorecards?

We created Scorecards to give consumers of open-source projects an easy way to judge whether their dependencies are safe.

Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

The inspiration for Scorecards logo: "You passed! All D's ... and an A!"

Project Goals

  1. Automate analysis and trust decisions on the security posture of open source projects.

  2. Use this data to proactively improve the security posture of the critical projects the world depends on.

Prominent Scorecards Users

Scorecards has been run on thousands of projects to monitor and track security metrics. Prominent projects that use Scorecards include:

Public Data

We run a weekly Scorecards scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a BigQuery public dataset.

This data is available in the public BigQuery dataset openssf:scorecardcron.scorecard-v2. The latest results are available in the BigQuery view openssf:scorecardcron.scorecard-v2_latest.

You can query the data using BigQuery Explorer by navigating to Add Data > Pin a Project > Enter Project Name > 'openssf'

You can extract the latest results to Google Cloud storage in JSON format using the bq tool:

# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'

# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename-*.json

The list of projects that are checked is available in the cron/internal/data/projects.csv file in this repository. If you would like us to track more, please feel free to send a Pull Request with others. Currently, this list is derived from projects hosted on GitHub ONLY. We do plan to expand them in near future to account for projects hosted on other source control systems.

Using Scorecards

Scorecards GitHub Action

The easiest way to use Scorecards on GitHub projects you own is with the Scorecards GitHub Action. The Action runs on any repository change and issues alerts that maintainers can view in the repositorys Security tab. For more information, see the Scorecards GitHub Action installation instructions.

Scorecards Command Line Interface

To run a Scorecards scan on projects you do not own, use the command line interface installation option.

Prerequisites

Platforms: Currently, Scorecards supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome.

Language: You must have GoLang installed to run Scorecards (https://golang.org/doc/install)

Installation

Standalone

To install Scorecards as a standalone:

  1. Visit our latest release page and download the correct binary for your operating system
  2. Extract the binary file
  3. We are excited to be an early adopter of one of the the OSSF slsa-framework/slsa-github-generator to generate non-forgeable SLSA3 provenance for the scorecard-linux-amd64 binary. If you use this binary, download the companiion provenance file scorecard-linux-amd64.intoto.jsonl as well. Then verify the scorecard binary with slsa-framework/slsa-verifier:
$ ./slsa-verifier-linux-amd64 \
    --artifact-path scorecard-linux-amd64 \
    --provenance scorecard-linux-amd64.intoto.jsonl \
    --source github.com/ossf/scorecard
    --tag vX.Y.Z

When verification passes, it guarantees that the binary you downloaded was generated using the source code of this repository. If you're interested in reading more about SLSA, visit the official slsa.dev.

  1. Add the binary to your GOPATH/bin directory (use go env GOPATH to identify your directory if necessary)
Using Homebrew

You can use Homebrew (on macOS or Linux) to install Scorecards.

brew install scorecard

Using Linux package managers

Package Manager Linux Distribution Command
Nix NixOS nix-shell -p nixpkgs.scorecard
AUR helper Arch Linux Use your AUR helper to install scorecard

Authentication

GitHub imposes api rate limits on unauthenticated requests. To avoid these limits, you must authenticate your requests before running Scorecard. There are two ways to authenticate your requests: either create a GitHub personal access token, or create a GitHub App Installation.

  • Create a GitHub personal access token. When creating the personal access token, we suggest you choose the public_repo scope. Set the token in an environment variable called GITHUB_AUTH_TOKEN, GITHUB_TOKEN, GH_AUTH_TOKEN or GH_TOKEN using the commands below according to your platform.
# For posix platforms, e.g. linux, mac:
export GITHUB_AUTH_TOKEN=<your access token>
# Multiple tokens can be provided separated by comma to be utilized
# in a round robin fashion.
export GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>

# For windows:
set GITHUB_AUTH_TOKEN=<your access token>
set GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>

OR

  • Create a GitHub App Installation for higher rate-limit quotas. If you have an installed GitHub App and key file, you can use the three environment variables below, following the commands (set or export) shown above for your platform.
GITHUB_APP_KEY_PATH=<path to the key file on disk>
GITHUB_APP_INSTALLATION_ID=<installation id>
GITHUB_APP_ID=<app id>

These variables can be obtained from the GitHub developer settings page.

Basic Usage

Docker

scorecard is available as a Docker container:

The GITHUB_AUTH_TOKEN has to be set to a valid token

docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard

To use a specific scorecards version (e.g., v3.2.1), run:

docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard
Using repository URL

Scorecards can run using just one argument, the URL of the target repo:

$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
Starting [CII-Best-Practices]
Starting [Fuzzing]
Starting [Pinned-Dependencies]
Starting [CI-Tests]
Starting [Maintained]
Starting [Packaging]
Starting [SAST]
Starting [Dependency-Update-Tool]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [Binary-Artifacts]
Starting [Branch-Protection]
Starting [Code-Review]
Starting [Contributors]
Starting [Vulnerabilities]
Finished [CI-Tests]
Finished [Maintained]
Finished [Packaging]
Finished [SAST]
Finished [Signed-Releases]
Finished [Binary-Artifacts]
Finished [Branch-Protection]
Finished [Code-Review]
Finished [Contributors]
Finished [Dependency-Update-Tool]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [Vulnerabilities]
Finished [CII-Best-Practices]
Finished [Fuzzing]
Finished [Pinned-Dependencies]

RESULTS
-------
Aggregate score: 7.9 / 10

Check scores:
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                         DOCUMENTATION/REMEDIATION                         |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10  | Branch-Protection      | branch protection is not       | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                           |
|         |                        | release branches               |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ?       | CI-Tests               | no pull request found          | github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests               |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no badge found                 | github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Code-Review            | branch protection for default  | github.com/ossf/scorecard/blob/main/docs/checks.md#code-review            |
|         |                        | branch is enabled              |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Contributors           | 0 different companies found -- | github.com/ossf/scorecard/blob/main/docs/checks.md#contributors           |
|         |                        | score normalized to 0          |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Dependency-Update-Tool | no update tool detected        | github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed in       | github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing                |
|         |                        | OSS-Fuzz                       |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 1 / 10  | Maintained             | 2 commit(s) found in the last  | github.com/ossf/scorecard/blob/main/docs/checks.md#maintained             |
|         |                        | 90 days -- score normalized to |                                                                           |
|         |                        | 1                              |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | github.com/ossf/scorecard/blob/main/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 8 / 10  | Pinned-Dependencies    | unpinned dependencies detected | github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies    |
|         |                        | -- score normalized to 8       |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | SAST                   | no SAST tool detected          | github.com/ossf/scorecard/blob/main/docs/checks.md#sast                   |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions      | tokens are read-only in GitHub | github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions      |
|         |                        | workflows                      |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
Scoring

Each individual check returns a score of 0 to 10, with 10 representing the best possible score. Scorecards also produces an aggregate score, which is a weight-based average of the individual checks weighted by risk.

  • “Critical” risk checks are weighted at 10
  • “High” risk checks are weighted at 7.5
  • “Medium” risk checks are weighted at 5
  • “Low” risk checks are weighted at 2.5

See the list of current Scorecards checks for each check's risk level.

Showing Detailed Results

For more details about why a check fails, use the --show-details option:

./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details
Starting [Pinned-Dependencies]
Finished [Pinned-Dependencies]

RESULTS
-------
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |            DETAILS             |                         DOCUMENTATION/REMEDIATION                         |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10  | Branch-Protection      | branch protection is not       | Info: 'force pushes' disabled  | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all | on branch 'main' Info: 'allow  |                                                                           |
|         |                        | release branches               | deletion' disabled on branch   |                                                                           |
|         |                        |                                | 'main' Info: linear history    |                                                                           |
|         |                        |                                | enabled on branch 'main' Info: |                                                                           |
|         |                        |                                | strict status check enabled    |                                                                           |
|         |                        |                                | on branch 'main' Warn: status  |                                                                           |
|         |                        |                                | checks for merging have no     |                                                                           |
|         |                        |                                | specific status to check on    |                                                                           |
|         |                        |                                | branch 'main' Info: number     |                                                                           |
|         |                        |                                | of required reviewers is 2     |                                                                           |
|         |                        |                                | on branch 'main' Info: Stale   |                                                                           |
|         |                        |                                | review dismissal enabled on    |                                                                           |
|         |                        |                                | branch 'main' Info: Owner      |                                                                           |
|         |                        |                                | review required on branch      |                                                                           |
|         |                        |                                | 'main' Info: 'admininistrator' |                                                                           |
|         |                        |                                | PRs need reviews before being  |                                                                           |
|         |                        |                                | merged on branch 'main'        |                                                                           |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
Using a Package manager

For projects in the --npm, --pypi, or --rubygems ecosystems, you have the option to run Scorecards using a package manager. Provide the package name to run the checks on the corresponding GitHub source code.

For example, --npm=angular.

Running specific checks

To run only specific check(s), add the --checks argument with a list of check names.

For example, --checks=CI-Tests,Code-Review.

Formatting Results

The currently supported formats are default (text) and json.

These may be specified with the --format flag. For example, --format=json.

Report Problems

If you have what looks like a bug, please use the Github issue tracking system. Before you file an issue, please search existing issues to see if your issue is already covered.

Checks

Scorecard Checks

The following checks are all run against the target project by default:

Name Description Risk Level Token Required Note
Binary-Artifacts Is the project free of checked-in binaries? High PAT, GITHUB_TOKEN
Branch-Protection Does the project use Branch Protection ? High PAT (repo or repo> public_repo), GITHUB_TOKEN certain settings are only supported with a maintainer PAT
CI-Tests Does the project run tests in CI, e.g. GitHub Actions, Prow? Low PAT, GITHUB_TOKEN
CII-Best-Practices Does the project have a CII Best Practices Badge? Low PAT, GITHUB_TOKEN
Code-Review Does the project require code review before code is merged? High PAT, GITHUB_TOKEN
Contributors Does the project have contributors from at least two different organizations? Low PAT, GITHUB_TOKEN
Dangerous-Workflow Does the project avoid dangerous coding patterns in GitHub Action workflows? Critical PAT, GITHUB_TOKEN
Dependency-Update-Tool Does the project use tools to help update its dependencies? High PAT, GITHUB_TOKEN
Fuzzing Does the project use fuzzing tools, e.g. OSS-Fuzz? Medium PAT, GITHUB_TOKEN
License Does the project declare a license? Low PAT, GITHUB_TOKEN
Maintained Is the project maintained? High PAT, GITHUB_TOKEN
Pinned-Dependencies Does the project declare and pin dependencies? Medium PAT, GITHUB_TOKEN
Packaging Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? Medium PAT, GITHUB_TOKEN
SAST Does the project use static code analysis tools, e.g. CodeQL, LGTM, SonarCloud? Medium PAT, GITHUB_TOKEN
Security-Policy Does the project contain a security policy? Medium PAT, GITHUB_TOKEN
Signed-Releases Does the project cryptographically sign releases? High PAT, GITHUB_TOKEN
Token-Permissions Does the project declare GitHub workflow tokens as read only? High PAT, GITHUB_TOKEN
Vulnerabilities Does the project have unfixed vulnerabilities? Uses the OSV service. High PAT, GITHUB_TOKEN
Webhooks Does the webhook defined in the repository have a token configured to authenticate the origins of requests? High maintainer PAT (admin: repo_hook or admin> read:repo_hook doc EXPERIMENTAL

Detailed Checks Documentation

To see detailed information about each check, its scoring criteria, and remediation steps, check out the checks documentation page.

Contribute

Code of Conduct

Before contributing, please follow our Code of Conduct.

Contribute to Scorecards

See the Contributing documentation for guidance on how to contribute to the project.

Adding a Scorecard Check

If you'd like to add a check, please see guidance here.

Connect with the Scorecards Community

If you want to get involved in the Scorecards community or have ideas you'd like to chat about, we discuss this project in the OSSF Best Practices Working Group meetings.

Artifact Link
Scorecard Dev Forum ossf-scorecard-dev@
Scorecard Announcements Forum ossf-scorecard-announce@
Community Meeting VC Link to z o o m meeting
Community Meeting Calendar Biweekly Thursdays, 1:00pm-2:00pm PST
Calendar
Meeting Notes Notes
Slack Channel #security_scorecards
  Facilitators Company Profile
Azeem Shaikh Google azeemshaikh38
Laurent Simon Google laurentsimon
Naveen Srinivasan naveensrinivasan
Chris McGehee Datto chrismcgehee
Stephen Augustus Cisco justaugustus

Report a Security Issue

To report a security issue, please follow instructions here.

Stargazers over time

Stargazers over time