By Azeem Shaikh (Google), Laurent Simon (Google), Naveen Srinivasan (Endor Labs), Stephen Augustus (Cisco)
Today, we are excited to release new features from the Scorecards project, the OpenSSF tool that helps maintainers follow best security practices. The Scorecards GitHub Action now supports a REST API for quickly viewing project scores, and we’ve added one of our favorite new features: badges! We hope these additions will make interacting with Scorecards smoother than ever for open source maintainers and consumers.
New users, new features
Scorecards has grown since the release of our GitHub Action, with 1600+ repositories including major projects like Tensorflow, Flutter, Angular, urllib3, and the Eclipse Foundation using Scorecards to incorporate best practices into their software development lifecycle for continuous improvement.
Our v1 release earlier this year included the “publish_results” feature. In v2, this option allows users to automatically send their Scorecards results to our servers for analysis. Thanks to the data gathered by this option, we can now support two more features:
- A REST API for querying any public repository’s published results. Open source consumers can use the Scorecard API to understand the security health of their supply chain rather than manually querying the CLI.
- Badges that show off your hard work to improve security practices. Badges are especially useful for maintainers, who will be able to assess dependencies at a glance.
Badges in action
We’re excited about badges since they show the open source community how much effort you’ve put into improving your security posture. Take, for instance, urllib3, a popular Python project with almost 10M installations a day. The project already displayed badges you may be familiar with: 100% unit test coverage and a “passing” CI test badge. Now, urllib3 also includes a Scorecards badge with a 9.3 / 10 score:
With such a high score, urllib3 is showing its commitment to secure practices—but badges aren’t just for projects with awesome scores. If you’re still working on improving your score, having a badge tells others that you’re aware of security best practices and taking them seriously. As you make improvements, your badge will automatically update, and the improvement process can be really rewarding—for a great example, just take a look at how far Dart and Flutter have come.
Growing the community
Community adoption is critical! The more projects that display badges, the more we’ll encourage new adopters of Scorecards and help raise the collective level of open source security. If there’s a project you care about in particular, point them to our new website, and even consider submitting a PR to the project that would install the Scorecards GitHub Action.
Shout out to all the Scorecards contributors and especially our intern Rohan Khandelwal for driving the badges work. His efforts show how a single contributor can make a difference to open source security. If you’re looking to make your contributions count, give us a holler—we’re always looking for more collaborators!