How Google’s OpenSSF Scorecards Boost Open‑Source Security Ratings

OpenSSF Scorecards, an open‑source security scoring project originated by Google and the Open Source Security Foundation, provides automated pass/fail checks that generate a risk score for open‑source projects.

According to the 2021 OSSRA report from Synopsys CyRC, 95% of commercial software contains open‑source components, many of which include outdated or insecure code. Scorecards addresses the difficulty of manually reviewing such code by offering a fast, automated assessment.

Key Features of Scorecards 2.0

Risk Identification : Expanded coverage integrated into Google’s Know‑Prevent‑Fix framework.

Malicious Author Detection : Branch‑check functionality that requires code review before merges, mitigating backdoor insertion.

Vulnerable Code Discovery : Encourages fuzz testing and static analysis early in the development lifecycle.

System Build Protection : Token‑permission checks for GitHub Actions to enforce least‑privilege execution.

Bad Dependency Detection : Binary‑artifact checks, frozen‑dependency analysis, and automated dependency‑update verification.

Scorecards v2.0 has evaluated over 50,000 open‑source projects. Its architecture now uses a Pub/Sub model for horizontal scalability and higher throughput, and it publishes weekly results to a public BigQuery dataset.

To query the data, you can use the bq command‑line tool, for example:

$ bq query --nouse_legacy_sql 'SELECT Repo, Date, Checks FROM openssf.scorecardcron.scorecard_latest WHERE Repo="github.com/kubernetes/kubernetes"'

The results are also available through Google Open Source Insights and the OpenSSF Security Metrics project, and can be visualized with tools like Google Data Studio using CSV exports.

Analysis of the data shows that even widely used packages such as Kubernetes still contain many unresolved vulnerabilities, often lacking security policies or fixed dependencies.

Scorecards v2 currently has 23 developers and welcomes new contributors via its GitHub repository. Future plans include a Scorecards badge for GitHub, deeper CI/CD and Code Scanning integration, and collaboration with the Allstar project for policy enforcement.

Overall, Scorecards aims to make open‑source security more reliable and accessible, helping developers improve both the security of their applications and the underlying code they depend on.