Skip to main content

Improving OpenSSF Scorecard Scores: StepSecurity Automation for Four Key Checks

By June 28, 2024Blog, Guest Blog

By Varun Sharma, StepSecurity

Implementing security best practices is essential for open source maintainers to ensure their projects are secure and free from vulnerabilities. However, many maintainers find this task complex and time-consuming when done manually. The OpenSSF Scorecard offers an automated heuristic of how well key security processes are implemented in a project, providing a clear assessment of its security posture. Despite its benefits, manually implementing these security measures can be cumbersome and labor-intensive. This is where automation becomes valuable. StepSecurity’s Secure-Repo project helps automate the implementation of these security best practices, making it easier and faster for maintainers to enhance their project’s security.

OpenSSF Scorecard

The OpenSSF Scorecard project helps improve the security best practices used by open source projects and assists consumers in evaluating the safety of their dependencies. Scorecard is an automated tool that assesses various important heuristics, or “checks,” related to software security, assigning each check a score from 0 to 10. These scores provide insights into specific areas where projects are performing well and where they can improve their security posture.

Why Implementing Security Practices Can Be Challenging

Implementing these security processes can be cumbersome and time-consuming for several reasons:

  1. Overwhelmed by Existing Responsibilities: Maintainers are often overwhelmed by their existing responsibilities, leaving little time for additional security tasks.
  2. Steep Learning Curve: The complexity of security processes creates a steep learning curve. For example, understanding how to configure secure CI/CD pipelines can be challenging.
  3. Repetitive and Manual Tasks: Security practices often involve repetitive tasks that need to be performed across projects. Without automation, these tasks are time-consuming and prone to human error. 

These challenges act as significant barriers to the widespread adoption of security best practices among developers.

Automating Security Best Practices with StepSecurity Secure-Repo

Implementing security best practices manually can be complex and time-consuming, often acting as a barrier to widespread adoption. This is where automation becomes crucial. StepSecurity’s open source project, Secure-Repo, is designed to automate these processes, making it easier for maintainers to achieve and maintain high security standards. The primary goals of Secure-Repo are to:

  • Ensure accurate fixes for security vulnerabilities
  • Seamlessly integrate with the developer’s existing workflow
  • Provide a choice of tools to fit various needs
  • Eliminate the friction associated with manual implementation

Secure-Repo serves as a gatekeeper of repositories, identifying missing security tools and gaps in CI/CD pipeline best practices. By providing developers with a curated list of recommendations, it empowers them to make the choices that fit their projects’ needs. They can then leverage the project to create a pull request, seamlessly integrating the necessary tools and best practices into their repository.

Secure-Repo provides automated remediation for the following OpenSSF Scorecard checks:

  1. Project uses a dependency update tool.
  2. Project uses Static Application Security Testing (SAST).
  3. Project pins dependencies used during its build and release process.
  4. Project’s automated workflows tokens are set to use minimum permissions.

Maintainers of over 1,300 open source projects, including PowerShell, Ruby, Node.js, Electron, and projects from the Eclipse Foundation, Apache Foundation, Microsoft, Google, and Intel have used Secure-Repo to automate security processes.

To understand how these security processes are being automated, check out these pull request examples:

Here is what Ulises Gascón, Node.js Security Team Member, has to say about using StepSecurity to improve Scorecard scores in the Node.js organization

“When we introduced the OpenSSF Scorecard in the Node.js organization, we initially struggled to apply all the suggestions due to the extensive manual work required. This work was hard to prioritize amidst our other responsibilities. However, we had the opportunity to try StepSecurity in the early stages of its development. Since then, it has become an essential tool for us and other projects in the ecosystem. StepSecurity significantly reduces the Time To Remediation (TTR) by generating customizable pull requests with all the necessary changes. This automation has streamlined our workflow and made it much easier to implement critical security measures.”

Enhance Your Project’s Security with StepSecurity

Utilizing StepSecurity for improving Scorecard scores offers a multitude of benefits. It simplifies the implementation of security best practices by automating repetitive and time-consuming tasks, thus alleviating the burden on maintainers. This automation not only saves time but also ensures accuracy in applying security measures, ultimately enhancing the overall security posture of open source projects. 

Try StepSecurity Secure-Repo and experience the ease and efficiency it brings to improving your project’s security scores. For more information or support, please create an issue in the Secure-Repo GitHub public repository here.

About the Author

VarunVarun Sharma is the CEO and Co-Founder of StepSecurity, a cybersecurity startup dedicated to empowering developers to secure their CI/CD pipelines. Before starting StepSecurity, Varun was at Microsoft, where he led the Green Team, with a charter to solve high-risk, systemic security issues, including CI/CD security.