Scorecard由开源安全基金会 (OpenSSF) 发布的开源项目安全评估应用,由安全基金会成员Google牵头开发,遵守Apache开源协议。Scorecards 定义了初始评估标准,可以完全自动化为开源项目生成一个评分卡。评分卡的每项检查都可以选择是否启用,评估指标包括定义事先定义好的安全策略、代码审查流程以及使用模糊测试和静态代码分析工具的持续测试覆盖率。每项安全检查都会返回一个布尔值以及信任度分数。

使用方法:

需要输入开源项目的地址:

$ go build
$ ./scorecard --repo=github.com/kubernetes/kubernetes
Starting [Active]
Starting [CI-Tests]
Starting [CII-Best-Practices]
Starting [Code-Review]
Starting [Contributors]
Starting [Frozen-Deps]
Starting [Fuzzing]
Starting [Pull-Requests]
Starting [SAST]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [Signed-Tags]
Finished [Fuzzing]
Finished [CII-Best-Practices]
Finished [Frozen-Deps]
Finished [Security-Policy]
Finished [Contributors]
Finished [Signed-Releases]
Finished [Signed-Tags]
Finished [CI-Tests]
Finished [SAST]
Finished [Code-Review]
Finished [Pull-Requests]
Finished [Active]

RESULTS
-------
Active: Pass 10
CI-Tests: Pass 10
CII-Best-Practices: Pass 10
Code-Review: Pass 10
Contributors: Pass 10
Frozen-Deps: Pass 10
Fuzzing: Pass 10
Pull-Requests: Pass 10
SAST: Fail 0
Security-Policy: Pass 10
Signed-Releases: Fail 10
Signed-Tags: Fail 5

建议使用 OAuth token ,规避速率限制。

 

https://github.com/ossf/scorecard