Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow

Google and GitHub Announce OpenSSF Scorecards v4 with New GitHub Actions Workflow

This item in japanese

GitHub and Google have announced the version 4 release of the Open Source Security Foundation (OpenSSF)'s Scorecards project. Scorecards is an automated security tool that identifies risky supply chain practices in open source projects. This release includes a new Scorecards GitHub Action, new security checks, and a large increase in the repositories included in the foundations weekly scans.

Scorecards is a series of scans that review and assess the security practices of a project. These scans include ensuring the project is free of checked-in binaries, that branch protection is in place, code review is required, and that the project cryptographically signs releases. The full list of available scans is in the project repo. When run, the tool returns a score from 0 to 10 rating each individual security practice and including an aggregate score for the entire project. A subset of the output of a sample scan can be seen below:

Aggregate score: 7.9 / 10

Check scores:
|  SCORE  |          NAME          |             REASON             |                         DOCUMENTATION/REMEDIATION                         |
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  |       |
| 9 / 10  | Branch-Protection      | branch protection is not       |      |
|         |                        | maximal on development and all |                                                                           |
|         |                        | release branches               |                                                                           |
| ?       | CI-Tests               | no pull request found          |               |

The new Scorecards GitHub Action simplifies the process of running the tool. With the Action in place, the Scorecards workflow is preconfigured to run automatically on each contribution. Results are sent automatically to GitHub's code scanning alerts API and will appear in the code scanning alerts dashboard under the security tab. This improves over previous releases where the tool would need to be run manually.

Detailed view of alert from GitHub Action run of Scorecards

Detailed view of alert from GitHub Action run of Scorecards (credit: GitHub)


This release introduces a new scan for dangerous coding patterns in GitHub Actions workflows. This is the first risk with a critical level rating. The scan detects improper usage of the pull_request_target trigger and risks of script injections in GitHub workflows. Combining the pull_request_target workflow trigger with an explicit checkout of an untrusted PR could lead to repository compromise. Script injection is possible when unvalidated inputs flow directly into workflows where they can be interpreted as executable code:

- name: Check PR title
        run: |
          title="${{ github.event.pull_request.title }}"
          if [[ $title =~ ^octocat ]]; then
          echo "PR title starts with 'octocat'"
          exit 0
          echo "PR title did not start with 'octocat'"
          exit 1

In this example, a malicious attack could set the pull request title a"; Is $GITHUB_WORKSPACE to force a run of the ls command. This is possible as the run command executes within a temporary shell script on the runner. Before the shell script is run, all expressions are evaluated and replaced with their evaluated value.

The Scorecards team also runs weekly scans of critical open source projects. These projects are identified based on the number of direct dependencies they have. With this release, the number of projects being scanned has increased from 50,000 to one million. These weekly scans now mirror the 0-10 rating scale available in the self-applied scanning tool. These results are made available via the OpenSSF Security Metrics dashboard, the Scorecards API, a BigQuery public dataset, and via the Open Source Insights websites.

OpenSSF Scorecards is available on GitHub. Public repositories can make use of the GitHub Action workflow as the code scanning API and 1,000 Actions minutes per month are free for all public repositories on GitHub. For other GitHub users, these features are available via GitHub Enterprise and GitHub Advanced Security.

About the Author

Rate this Article