Last week the community convened for the first OpenSSF Tech Talk of the year, shining a spotlight on OpenSSF Scorecard. OpenSSF Scorecard aids developers and open source consumers in assessing how well an open source project adheres to best practices. It evaluates projects for security risks using a series of automated checks. The Tech Talk provided perspectives from users and maintainers. If you missed it, you can watch the on-demand recording to catch up on valuable insights into how OpenSSF Scorecard contributes to enhancing software supply chain security.
OpenSSF Scorecard Tech Talk Highlights
Moderated by Caroline Lee, a Security Engineer at IBM, the Tech Talk commenced with Caroline’s introduction to the Tech Talk agenda and a general overview of OpenSSF Scorecard. Laurent Simon, Scorecard maintainer and Security Engineer at Google’s Open Source Security Team (GOSST), offered a deep dive into the Scorecard’s key components. Laurent’s expertise laid a solid foundation for understanding the inner workings of this critical tool.
Following Laurent’s overview as a maintainer, Chris Swan, an Engineer at Atsign, shared practical insights into how Scorecard is utilized in real-world scenarios. Chris highlighted the significance of tools like Allstar and emphasized the importance of minimizing ongoing toil, a challenge effectively recognized by Scorecard.
Melba Lopez, a Senior Technical Staff Member (STSM) at IBM, then shed light on Scorecard’s role in software supply chain risk management. Drawing from IBM CISO’s experiences, Melba underscored how Scorecard, coupled with SBOM analysis trends, strengthens supply chain security, positioning it as a valuable asset in the security toolkit.
The Tech Talk also featured a lively panel discussion, exploring Scorecard’s origins, evolution based on user feedback, and the challenges faced by the community. Panelists provided insights into their experiences with Scorecard, emphasizing the importance of collaboration in addressing prevailing challenges and enhancing security practices. The discussion also touched upon anticipated developments in response to current challenges, underscoring the Scorecard community’s commitment to continuous improvement and innovation.
The Tech Talk concluded with an engaging Q&A session, offering attendees an opportunity to delve deeper into Scorecard-related inquiries and glean further insights from the panelists’ expertise. Scorecard Tech Talk Questions & Answers included:
Q: Are there any special considerations or recommendations for setting up Scorecard for projects that leverage many repositories to build a single application?
A: There are no special considerations. The team has developed a tool to automate / simplify creating PRs that enable Scorecard on multiple repositories at once, but we have not publicized it due to lack of testing. The code is available at the Scorecard GitHub Action installer.
Q: What’s the relationship between Allstar and Scorecard going forward? They seem to have a lot of overlap but very different implementations.
A: Allstar today fetches some GitHub settings and uses some Scorecard check and adds a policy component to it. Going forward, we think Allstar will reduce its own implementation to fetch settings, and instead make use of Scorecard check more intensively (when possible, Scorecard does not have many checks that require admin read access today). This way Allstar can focus on policy and remediation, and Scorecard on gathering data. This should be facilitated by a new feature we’ll release in Q2, called “structured results“, which will enhance scorecard results with granular information.
Q: Are all the OpenSSF Scorecard scores in the BigQuery dataset also available through the REST API? Or is it just for the repositories which use the GitHub action and allow their data to be visible? Is the REST API the best way to get Scorecard information for a lot of repositories and integrate Scorecard scores into software supply chain pipelines?
A: Yes, these two APIs should contain the same information. In the past, we’ve had problems with the two being out-of-sync, but I believe this has been fixed now. Create an issue on our repository if you find some discrepancies between the two APIs.
Q: Is there a plan to have a closer integration of Scorecard with GUAC? Also, how do you assure that no malicious packages become part of the 1M+ pre-calculated scores? What is the process for projects to get included?
Projects can be included in two ways: either you install the Scorecard Github Action on the repository, or you send a PR to the scorecard repository adding an entry to the file. In terms of better integration with GUAC, we’re open to ideas and suggestions. Please create an issue on the repo to let us know how you’d like the project to better integrate with each other.
Malicious packages in the 1M+ pre-calculated scores: We don’t enforce anything like that, we only run the analysis on the repositories. It’s possible that some repositories try to game the analysis.
Watch the OpenSSF Scorecard Tech Talk On Demand
During the Tech Talk, we also addressed following questions:
- What was the original intention for starting OpenSSF Scorecard, and how has it changed based on the feedback from users?
- How long have you been using Scorecard?
- What kind of work were you involved in before utilizing Scorecard, and what provided you with the foundation/experience to use Scorecard?
- What challenges is our community currently facing, and how can we collectively address these challenges?
- Looking ahead to the near future, what developments can we anticipate considering the challenges we are currently confronting?
Watch the video to hear experts discuss and provide insights on these questions. To download the slides for the session and watch the full recording please visit: Building a Stronger Open Source Ecosystem: OpenSSF Scorecard.