There are many risks involved with introducing a new code into a software. This is why Google developed a new scorecard system in order to help developers assess the risks related to open-source dependencies before it is introduced into their systems.
Scorecards is a project released by OpenSSF, the Open-Source Security Foundation. This system aims to provide higher visibility to developers regarding the risk level of a software package by generating a ‘security score’ encouraging the decision-making process.
Scorecards establishes a first evaluation criterion, which then produces a scorecard for an open-source project. It is then up to the developers to decide which packages are the best for their use case, depending on their level of trust. The metrics used to evaluate these packages include a security policy, code review process, and continuous test coverage with fuzzing and static-code analysis tools.
The goal of scorecards is to enhance the virility in open-source security, especially with so many cyber threats, as well as helping organizations scale-out automated analysis and trust decisions.
Although scorecards is very recent, there is an essential need for developers and open-source projects to have more resources in order to avoid attacks.