DEV Community

G.L Solaria
G.L Solaria

Posted on

Assessing Security Risks of Open Source Repos

#security #opensource

So you want to use software from a GitHub or GitLab repository. But how can you assess the security risks associated with the repo?

Thankfully there is a utility from OpenSSF called scorecard you can use to help you understand the risks involved with using the software from a public repo.

OpenSSF

The Open Source Security Foundation is part of the Linux Foundation and was formed in 2020 to help improve the security of open source software. The premier members of the foundation include Google, GitHub, Microsoft, Apple, and Intel.

Scorecard viewer

So how can you get a quick overview of the security risks associated with using a GitHub or GitLab repo? Well the repo may already have been indexed by OpenSSF. Simply replace the placeholders in the following URL:

https://scorecard.dev/viewer/?uri=<github_or_gitlab>.com/<user_name_or_org>/<repository_name>
Enter fullscreen mode Exit fullscreen mode

For example, to view a report on the scorecard repo go to https://scorecard.dev/viewer/?uri=github.com/ossf/scorecard and you will see something like this:
Image description

Scorecard command line utility

If the GitHub repo isn't already indexed by OpenSSF, you will need to generate a GitHub personal access token to run the utility from the command line. This is because GitHub imposes API rate limits on unauthenticated requests. Instructions on how to set up the token are documented here.

You can install the utility standalone but the easiest way to run it is via a docker container:

docker run -e GITHUB_AUTH_TOKEN=<your_access_token> gcr.io/openssf/scorecard:stable  --repo=<url_of_repo_to_audit>
Enter fullscreen mode Exit fullscreen mode

This will output an ASCII table that looks something like:
Image description

Probing for security vulnerabilities

You can also use the command line utility to get more detailed information on the security vulnerabilities.

docker run -e GITHUB_AUTH_TOKEN=<your_access_token> gcr.io/openssf/scorecard:stable  --repo=<url_of_repo_to_audit> --probes=hasOSVVulnerabilities --format=probe
Enter fullscreen mode Exit fullscreen mode

This will output a JSON file with the known security vulnerabilities.

More details

Read the docs for more details on how to use this utility, use it in your CI/CD pipeline, or make use of it as a repo maintainer.

Top comments (0)