Code Analysis, Code Review, Downloads, Fuzzing, Hacking Tools, Linux, OSV, Scorecard, Security Scorecards, Static Code Analysis, Tracking, Windows

Security Scorecards – Security Health Metrics For Open Source

Security Health Metrics For Open Source

Motivation

A short motivational video clip to inspire us: https://youtu.be/rDMMYT3vkTk “You passed! All D’s … and an A!”

Goals

  1. Automate analysis and trust decisions on the security posture of open source projects.

  2. Use this data to proactively improve the security posture of the critical projects the world depends on.

Scorecard Checks

The following checks are all run against the target project by default:

NameDescription
ActiveDid the project get any commits in the last 90 days?
Automatic-Dependency-UpdateDoes the project use tools to automatically update its dependencies?
Binary-ArtifactsIs the project free of checked-in binaries?
Branch-ProtectionDoes the project use Branch Protection ?
CI-TestsDoes the project run tests in CI, e.g. GitHub Actions, Prow?
CII-Best-PracticesDoes the project have a CII Best Practices Badge?
Code-ReviewDoes the project require code review before code is merged?
ContributorsDoes the project have contributors from at least two different organizations?
FuzzingDoes the project use fuzzing tools, e.g. OSS-Fuzz?
Frozen-DepsDoes the project declare and freeze dependencies?
PackagingDoes the project build and publish official packages from CI/CD, e.g. GitHub Publishing ?
Pull-RequestsDoes the project use Pull Requests for all code changes?
SASTDoes the project use static code analysis tools, e.g. CodeQL, SonarCloud?
Security-PolicyDoes the project contain a security policy?
Signed-ReleasesDoes the project cryptographically sign releases?
Signed-TagsDoes the project cryptographically sign release tags?
Token-PermissionsDoes the project declare GitHub workflow tokens as read only?
VulnerabilitiesDoes the project have unfixed vulnerabilities? Uses the OSV service.

To see detailed information about each check and remediation steps, check out the checks documentation page.

Usage

Using repository URL

The program can run using just one argument, the URL of the repo:

$ go build
$ ./scorecard --repo=github.com/kubernetes/kubernetes
Starting [Signed-Tags]
Starting [Automatic-Dependency-Update]
Starting [Frozen-Deps]
Starting [Fuzzing]
Starting [Pull-Requests]
Starting [Branch-Protection]
Starting [Code-Review]
Starting [SAST]
Starting [Contributors]
Starting [Signed-Releases]
Starting [Packaging]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Active]
Starting [Binary-Artifacts]
Starting [CI-Tests]
Starting [CII-Best-Practices]

Finished [Contributors]
Finished [Signed-Releases]
Finished [Active]
Finished [Binary-Artifacts]
Finished [CI-Tests]
Finished [CII-Best-Practices]
Finished [Packaging]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [Automatic-Dependency-Update]
Finished [Frozen-Deps]
Finished [Fuzzing]
Finished [Pull-Requests]
Finished [Signed-Tags]
Finished [Branch-Protection]
Finished [Code-Review]
Finished [SAST]

RESULTS
-------
Repo: github.com/kubernetes/kubernetes
Active: Pass 10
Automatic-Dependency-Update: Fail 3
Binary-Artifacts: Pass 10
Branch-Protection: Fail 0
CI-Tests: Pass 10
CII-Best-Practices: Pass 10
Code-Review: Pass 10
Contributors: Pass 10
Frozen-Deps: Fail 10
Fuzzing: Pass 10
Packaging: Fail 0
Pull-Requests: Pass 10
SAST: Fail 10
Security-Policy: Fail 5
Signed-Releases: Fail 10
Signed-Tags: Fail 10
Token-Permissions: Pass 10

For more details why a check fails, use the --show-details option:

./scorecard --repo=github.com/kubernetes/kubernetes --checks Frozen-Deps --show-details
Starting [Frozen-Deps]
Finished [Frozen-Deps]

RESULTS
-------
Repo: github.com/kubernetes/kubernetes
Frozen-Deps: Fail 10
...
!! frozen-deps/docker - cluster/addons/fluentd-elasticsearch/es-image/Dockerfile has non-pinned dependency 'golang:1.16.5'
...
!! frozen-deps/fetch-execute - cluster/gce/util.sh is fetching and executing non-pinned program 'curl https://sdk.cloud.google.com | bash'
...
!! frozen-deps/fetch-execute - hack/jenkins/benchmark-dockerized.sh is fetching an non-pinned dependency 'GO111MODULE=on go install github.com/cespare/prettybench'
...

Using a Package manager

scorecard has an option to provide either --npm / --pypi / --rubygems package name and it would run the checks on the corresponding GitHub source code.

For example:

./scorecard --npm=angular
Starting [Active]
Starting [Branch-Protection]
Starting [CI-Tests]
Starting [CII-Best-Practices]
Starting [Code-Review]
Starting [Contributors]
Starting [Frozen-Deps]
Starting [Fuzzing]
Starting [Packaging]
Starting [Pull-Requests]
Starting [SAST]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [Signed-Tags]
Finished [Signed-Releases]
Finished [Fuzzing]
Finished [CII-Best-Practices]
Finished [Security-Policy]
Finished [CI-Tests]
Finished [Packaging]
Finished [SAST]
Finished [Code-Review]
Finished [Branch-Protection]
Finished [Frozen-Deps]
Finished [Signed-Tags]
Finished [Active]
Finished [Pull-Requests]
Finished [Contributors]

RESULTS
-------
Active: Fail 10
Branch-Protection: Fail 0
CI-Tests: Pass 10
CII-Best-Practices: Fail 10
Code-Review: Pass 10
Contributors: Pass 10
Frozen-De ps: Fail 0
Fuzzing: Fail 10
Packaging: Fail 0
Pull-Requests: Fail 9
SAST: Fail 10
Security-Policy: Pass 10
Signed-Releases: Fail 0
Signed-Tags: Fail 10

Running specific checks

To use a particular check(s), add the --checks argument with a list of check names.

For example, --checks=CI-Tests,Code-Review.

Authentication

Before running Scorecard, you need to, either:

<div class="highlight highlight-source-shell position-relative" data-snippet-clipboard-copy-content="# For posix platforms, e.g. linux, mac: export GITHUB_AUTH_TOKEN= # For windows: set GITHUB_AUTH_TOKEN= “>

# For posix platforms, e.g. linux, mac:
export GITHUB_AUTH_TOKEN=<your access token>

# For windows:
set GITHUB_AUTH_TOKEN=<your access token>

Multiple GITHUB_AUTH_TOKEN can be provided separated by comma to be utilized in a round robin fashion.

  • create a GitHub App Installations for higher rate-limit quotas. If you have an installed GitHub App and key file, you can use these three environment variables, following the commands shown above for your platform.

<div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="GITHUB_APP_KEY_PATH= GITHUB_APP_INSTALLATION_ID= GITHUB_APP_ID= “>

GITHUB_APP_KEY_PATH=<path to the key file on disk>
GITHUB_APP_INSTALLATION_ID=<installation id>
GITHUB_APP_ID=<app id>

These can be obtained from the GitHub developer settings page.

Understanding Scorecard results

Each check returns a Pass / Fail decision, as well as a confidence score between 0 and 10. A confidence of 0 should indicate the check was unable to achieve any real signal, and the result should be ignored. A confidence of 10 indicates the check is completely sure of the result.

Formatting Results

There are three formats currently: default, json, and csv. Others may be added in the future.

These may be specified with the --format flag.

Public Data

If you’re only interested in seeing a list of projects with their Scorecard check results, we publish these results in a BigQuery public dataset.

This data is available in the public BigQuery dataset openssf:scorecardcron.scorecard. The latest results are available in the BigQuery view openssf:scorecardcron.scorecard_latest.

You can extract the latest results to Google Cloud storage in JSON format using the bq tool:

<div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="# Get the latest PARTITION_ID bq query –nouse_legacy_sql 'SELECT partition_id FROM openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS ORDER BY partition_id DESC LIMIT 1' # Extract to GCS bq extract –destination_format=NEWLINE_DELIMITED_JSON 'openssf:scorecardcron.scorecard$’ gs://bucket-name/filename.json “>

# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS ORDER BY partition_id DESC
LIMIT 1'

# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard$<partition_id>' gs://bucket-name/filename.json

The list of projects that are checked is available in the cron/data/projects.csv file in this repository. If you would like us to track more, please feel free to send a Pull Request with others.

NOTE: Currently, these lists are derived from projects hosted on GitHub ONLY. We do plan to expand them in near future to account for projects hosted on other source control systems.

Adding a Scorecard Check

If you’d like to add a check, make sure it is something that meets the following criteria and then create a new GitHub Issue:

Troubleshooting

Supportability

Currently, scorecard officially supports OSX and Linux platforms. So, if you are using a Windows OS you may find issues. Contributions towards supporting Windows are welcome.

Contributing

If you want to get involved or have ideas you’d like to chat about, we discuss this project in the OSSF Best Practices Working Group meetings.

See the Community Calendar for the schedule and meeting invitations. The meetings happen biweekly https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com&ctz=America%2FLos_Angeles

See the Contributing documentation for guidance on how to contribute.

Source : KitPloit – PenTest Tools!

Previous ArticleNext Article
Send this to a friend