You should use the OpenSSF Scorecard

Written by Ulises Gascón

Jan 22, 20233 min read

As you may know, the Node.js Ecosystem Security Working Group has defined its priorities for 2023. A key initiative for us will be to assess the organization against the best practices available, such as the OpenSSF Scorecard.

OpenSSF in Node.js

We had a great discussion about the OpenSSF scorecard with the Google Open Source Security Team (GOSST) in the Ecosystem Security Working Group meeting this week.

We began the discussion in this issue, and here you can find the meeting notes:

  • Assessment against best practices (OpenSSF Scorecards ...) #859
  • Add OSSF Scorecard #851
  • Discussion with GOSST about implementing it on Node.js
  • The Nodejs currently report is located here, also json version available
  • Agreement to update action version tag by hash in GHA, following this example, lead by GOSST
  • Agreement to add/document the next steps in this issue in order to provide a good context for the following PRs and TSC Meetings, lead by GOSST

The current score for Node.js is 6.8 out of 10. We will be working to improve this score in the coming months. If you would like to be notified, please subscribe to the Security Working Group repository.

OpenSSF Scorecard in a nutshell

The Scorecard will evaluate the security of your project based on automated checks related to four scenarios.

  • Malicious maintainers
  • Build System Compromises
  • Source Code Compromises
  • Malicious packages

In order to accomplish this, the scripts are focused in 5 areas (Code Vulnerabilities, Maintenance, Continuous Testing, Source Risk Assestment, Build Risk Assestment and Holistic Security Practices).

Diagram flower that includes the 5 areas with the Holistic Security Practices in the middle

Each area has its own associated risk, so the overall score is the average of the five areas. Here, you can check the details of each by consulting the documentation in detail.

The following are the types of questions this score card provides answers to:

  • Does the project contain a security policy?
  • Does the project use fuzzing tools?
  • Does the project use static code analysis tools?
  • Does the project use Branch Protection?
  • Does the project have contributors from at least two different organizations?
  • Does the project cryptographically sign releases?
  • And many more...

If you are wondering if this is a good idea for your project, I think it is a good idea to at least review your packages in the directory.

OpenSSF Scorecard Implementation

It took less than 5 minutes to install. It quickly analysed the repo and identified easy ways to make the project more secure. Priya Wadhwa, Kaniko

You have two options: