Security News > 2021 > July > New Google Scorecards Tool Scans Open-Source Software for More Security Risks
Google has launched an updated version of Scorecards, its automated security tool that produces a "Risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis.
"With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe," Google's Open Source Security Team said Thursday.
Scorecards aims to automate analysis of the security posture of open source projects as well as use the security health metrics to proactively improve the security posture of other critical projects.
To date, the tool has been scaled up to evaluate security criteria for over 50,000 open source projects.
Google also noted that a large number of analyzed projects are not continuously fuzzed, and that neither do they define a security policy for reporting vulnerabilities nor do they pin dependencies, while also underscoring the need to improve the security of these critical projects and drive awareness of the widespread security risks.
The release of Scorecards v2 comes weeks after the company previewed an end-to-end framework called "Supply chain Levels for Software Artifacts" to ensure the integrity of software artifacts and prevent unauthorized modifications over the course of the development and deployment pipeline.
News URL
Related news
- Google claims Big Sleep 'first' AI to spot freshly committed security bug that fuzzing missed (source)
- Osmedeus: Open-source workflow engine for offensive security (source)
- Am I Isolated: Open-source container security benchmark (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)
- Debunking myths about open-source security (source)
- AxoSyslog: Open-source scalable security data processor (source)
- Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects (source)
- Unlocking Google Workspace Security: Are You Doing Enough to Protect Your Data? (source)
- Vanir: Open-source security patch validation for Android (source)