Reducing Security Risk In Open Source Software With GitHub Actions And OpenSSF Scorecards V4

>>> Shared from Original Post The GitHub Blog

GitHub is committed to helping secure the future of open source security, and it is why we continue to partner with our industry peers through the Open Source Security Foundation (OpenSSF). Today we’re excited to announce the V4 release of the OpenSSF’s Scorecard project in partnership with Google.

Scorecards is an automated security tool that flags risky supply chain practices in open source projects. We have added a GitHub Action and starter workflow into the GitHub user interface and Marketplace to help developers follow best security practices. Once configured, the Scorecards Action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project makes a number of checks, including whether the project has a static analysis tool, like CodeQL, configured.

The results are automatically sent to the GitHub code scanning alerts API and appear under the security tab for the project. This will help open source software projects to understand whether they are implementing the Scorecards project’s best practices, and help assure their users about the precautions they’re taking on security.

To give it a try, head over to GitHub and create a personal access token, if you don’t already have one. Then, navigate to your project, click on the Security tab, and Set up code scanning.

Screenshot of "set up code scanning" UI

Then select the OSSF Scorecards option, and click Set up this workflow.

Screenshot of "set up this workflow" UI
The workflow is preconfigured to run on every contribution and will upload results to the code scanning API for remediation. You will need to copy your PAT into the workflow. Check the comments for the appropriate location.

Note: If you already have code scanning configured on your project, you may see a different UI experience within the code scanning alerts page. Simply click Add more scanning tools as shown below.

Screenshot of "add more scanning tools" UI

And just like that, results will start flowing into your Security tab for review.

Screenshot showing high severity code scanning results

While you’re setting up Scorecards, you can also configure CodeQL or one of our other integrated third-party static analysis tools, which is a great first step toward securing your project.

CodeQL, the code scanning API, and 1,000 Actions minutes are included for free to public repositories on GitHub.com.

These features are also available to enterprises through GitHub Enterprise and GitHub Advanced Security. To learn more about GitHub’s Platform and Application Security, please see https://github.com/features/security.

>>> Read the Full Story at The GitHub Blog