OpenSSF ScoreCard

What is OpenSSF

Open Source Security Foundation (OpenSSF) is an industry collaboration focused on improving the security of open-source software. The OpenSSF aims to bring together various stakeholders to address security challenges in open-source software and to create resources and initiatives that enhance the overall security posture of the open-source ecosystem.

This framework, when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.

Example of OpenSSF policies in SSD

  • Open SSF Binary Artifacts Policy - This check determines whether the project has generated executable (binary) artifacts in the source repository.

  • Open SSF CI Tests Policy - This assesses if the project enforces running tests before merging pull requests, currently applicable only to GitHub-hosted repositories, excluding other source hosting platforms.

  • Open SSF Packaging Policy - This assesses if the project is released as a package, but only works for GitHub repositories, excluding other source hosting platforms.

  • Open SSF Signed Releases Policy - This determines if the project cryptographically signs release artefacts.

  • Open SSF Token Permissions Policy - This Determines Whether the project automated workflow tokens follow the principle of least privilege.

Refer OpenSSF for more information.

To enable the OpenSSF scan, we need to integrate it with SSD.

To Integrate OpenSSF:

  1. Navigate to Config > Integrations.

  2. In the Source panel, click on OpenSSF.

  1. The OpenSSF integration page is displayed.

  1. Enter the URL and Token values of your OpenSSF account.

  2. Click Save. The tool is integrated in the source stage.

  3. You can edit the entered values by clicking the Edit option as shown below:

  4. Enter the new URL and Token value and click Update. The new values get updated.

Now the OpenSSF scan can be disabled or enabled.

Last updated