Google On-line Safety Weblog: Decreasing Safety Dangers in Open Supply Software program at Scale: Scorecards Launches V4

Posted by Laurent Simon and Azeem Shaikh, Google Open Supply Safety Crew (GOSST) Since our July announcement of Scorecards V2, the Scorecards undertaking—an automatic safety device to flag dangerous provide chain practices in open supply tasks—has grown steadily to over 40 distinctive contributors and 18 carried out safety checks. Right now we’re proud to announce the V4 launch of Scorecards, with bigger scaling, a brand new safety test, and a brand new Scorecards GitHub Motion for simpler safety automation.

The Scorecards Motion is launched in partnership with GitHub and is accessible from GitHub’s Market. The Motion makes utilizing Scorecards simpler than ever: it runs robotically on repository modifications to alert builders about dangerous supply-chain practices. Maintainers can view the alerts on GitHub’s code scanning dashboard, which is accessible without spending a dime to public repositories on GitHub.com and through GitHub Superior Safety for personal repositories.

Moreover, we’ve scaled our weekly Scorecards scans to over a million GitHub repositories, and have partnered with the Open Supply Insights web site for simple person entry to the info.

For extra particulars in regards to the launch, together with the brand new Harmful-Workflow safety test, go to the OpenSSF’s official weblog put up right here.