Use “Scorecards” to Check on Security of Your Open Source Projects

In episode 60 of DevNet Snack Minute, DevNet’s Manager of Developer Advocacy, Matt DeNapoli, and I talk with Stephen Augustus, Head of Open Source at Cisco.  In this episode we talk about “Scorecard”, and how you use them to improve the security of your open source project.

Scorecard is an automated tool that assesses a number of important heuristics (“checks”) associated with software security. It assigns each check a score of 0-10, giving consumers of open-source projects an easy way to judge whether their dependencies are safe. You can use these scores to:

• understand specific areas where you can strengthen the security posture of your project
• make sure dependencies are safe – e.g.,
  • do I have binaries checked into my repository?
  • do I have branch protection configured?
  • do I have CI tests?
  • are we doing code reviews?
• make informed decisions about accepting risks, evaluating alternative solutions, or working with maintainers to make improvements.

In Stephen’s demo and discussion you see how Scorecard gives you a practical way to know that security challenges can be checked and addressed within your project.

Learn about the new tool Scorecard with Stephen Augustus, Head of Open Source at Cisco.

Check out the Scorecards repo on GitHub

Related resources

We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Facebook |  Developer Video Channel

Share: