Secure Software Development: StepSecurity's Role in Increasing OpenSSF Scorecard Scores

StepSecurity's pull request feature has now helped over 300 repositories in adopting secure development practices.

Varun Sharma
April 6, 2023

OpenSSF Scorecard rates GitHub projects on their adherence to secure software development practices. StepSecurity assists developers in attaining higher Scorecard scores by orchestrating security tools and implementing best practices. We enable developers to initiate automated pull requests to improve their scores. Two months ago, I mentioned that over 200 public GitHub repositories had successfully applied security best practices through our pull request feature. Excitingly, that number has now exceeded 300 repositories!  

If your organization has public GitHub repositories, we can help you adopt OpenSSF Scorecard and measurably improve secure software development practices.  

In this blog post, I'll share insights on how developers utilize this pull request feature to achieve higher Scorecard scores.

OpenSSF Scorecard

OpenSSF Scorecard is an automated tool that assesses several important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve to strengthen the security posture of your project.

This quote summarizes the value of using the OpenSSF Scorecard

“We rely on Security Scorecards [i.e., OpenSSF Scorecard] to ensure we follow secure development best practices.” - Appu Goundan, Distroless

StepSecurity automation

To get a higher score, developers need to put in the effort to make changes to repository settings (like branch protection) and improve the security of their code and CI/ CD pipelines. This requires effort. StepSecurity has a catalog of fixes to reduce the steps needed to get a higher score. In Jan 2022, we introduced three fixes that applied to GitHub Actions workflows, and developers could paste their workflows on our App website and click a button to add best practices to it.

StepSecurity automation using pull requests.

Based on developer feedback, we added more fixes to our catalog. In September 2022, we added a way for developers to apply security best practices with one click using an automated pull request. This considerably reduces the time and effort needed to get a higher score.

Since its release, a total of 400 pull requests have been created by 130 maintainers across 310 repositories.

You can see the cumulative pull requests created month-over-month till March, with a growth rate of 37.4%.

The chart below shows the different security best practices applied across the 310 repositories.

Here is the link to the top 30 open-source projects, ranked by stars, and the leading 10 maintainers, determined by the number of pull requests generated, who have successfully increased their repositories scores through the pull request feature.

Here are some prominent organizations that use automated pull requests.

  1. Google (link to PRs – GoogleCloudPlatform, Google)
  1. Ruby (link to PRs – Ruby, rubygems)
  1. Apache (link to PRs – Apache)
  1. Nginxic (link to PRs –Nginxinc)
  1. Eclipse (link to PRs – Eclipse)

We are working with the Eclipse Foundation and Node.js security working group to improve the score across their GitHub organization. Here is a screenshot from a blog post from the Eclipse Foundation that shows a dashboard view across the GitHub org.

If your organization has public GitHub repositories, we can help you adopt OpenSSF Scorecard and measurably improve secure software development practices. Please reach out to us using our website.