{"id":41572,"date":"2021-07-01T17:39:00","date_gmt":"2021-07-01T17:39:00","guid":{"rendered":"http:\/\/eadb04dc-26f7-4a5e-8854-9e3fd075c1d5"},"modified":"2021-07-01T17:39:00","modified_gmt":"2021-07-01T17:39:00","slug":"google-releases-new-open-source-security-software-program-scorecards","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/","title":{"rendered":"Google releases new open-source security software program: Scorecards"},"content":{"rendered":"<figure class=\"image image-original shortcode-image\"><span class=\"img aspect-set \"><img decoding=\"async\" src=\"https:\/\/www.zdnet.com\/a\/hub\/i\/r\/2021\/07\/01\/51943e71-d7c1-43b6-ad0b-102af9e2b9d2\/resize\/1200xauto\/290a70c7f873106e5f0311150345e34c\/image-8.jpg\" class alt=\"scorecard-google.jpg\" height=\"auto\" width=\"1200\"><\/span><figcaption><span class=\"caption\"><\/span><\/figcaption><\/figure>\n<p>Some naive people may still think they&#8217;re not using open-source software. They&#8217;re wrong. Everyone does. According to the <a href=\"https:\/\/www.synopsys.com\/software-integrity\/cybersecurity-research-center.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Synopsys Cybersecurity Research Center<\/a> (CyRC) <a href=\"https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html?intcmp=sig-blog-ossra1\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">2021 &#8220;Open Source Security and Risk Analysis&#8221; (OSSRA) report<\/a>, 95% of all commercial programs contain open-source software. By CyRC&#8217;s count, the vast majority of that code contains outdated or insecure code. But how can you tell which libraries and other components are safe without doing a deep code dive? <a href=\"https:\/\/opensource.google\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Google<\/a> and the <a href=\"https:\/\/openssf.org\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Open Source Security Foundation (OSSF)<\/a> have a quick and easy answer: The <a href=\"https:\/\/github.com\/ossf\/scorecard\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">OpenSSF Security Scorecards<\/a>.<\/p>\n<div class=\"relatedContent alignRight\">\n<h3 class=\"heading\"> <span class=\"int\">Open Source<\/span> <\/h3>\n<\/p><\/div>\n<p>These Scorecards are based on a set of automated pass\/fail checks to provide a quick review of many open-source software projects. The<a href=\"https:\/\/github.com\/ossf\/scorecard\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Scorecards project<\/a> is an automated security tool that produces a &#8220;risk score&#8221; for open-source programs.<br \/>&nbsp;<br \/>That&#8217;s important because only some organizations have systems and processes in place to check new open-source dependencies for security problems. Even at Google, though, with all its resources, this process is often tedious, manual, and error-prone. Worse still, many of these projects and developers are resource-constrained. The result? <a href=\"https:\/\/thenewstack.io\/how-much-time-do-developers-spend-actually-writing-code\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Security often ends up a low priority<\/a> on the task list. This leads to critical projects not following good security best practices and becoming vulnerable to exploits.&nbsp;<br \/>&nbsp;<br \/>The Scorecards project hopes to make security checks easier to make security easier to achieve with the release of <a href=\"https:\/\/github.com\/ossf\/scorecard\/releases\/tag\/v2.0.0\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Scorecards v2<\/a>.&nbsp; This includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.<\/p>\n<p>For developers, Scorecards help reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project&#8217;s supply chain. Consumers can automatically access the risks to make informed decisions about accepting the program, look for an alternative solution, or work with the maintainers to make improvements.<br \/>&nbsp;<br \/>Here&#8217;s what new:&nbsp;<br \/>&nbsp;<br \/><strong>Identifying Risks:&nbsp;<\/strong>Since last fall, Scorecards&#8217; coverage has grown; the project has added several new checks, following Google&#8217;s<a href=\"https:\/\/security.googleblog.com\/2021\/02\/know-prevent-fix-framework-for-shifting.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Know, Prevent, Fix framework<\/a>.<br \/>&nbsp;<br \/><strong>Spotting malicious contributors:<\/strong>&nbsp; Contributors with malicious intent or compromised accounts can introduce potential backdoors into code. Code reviews help mitigate such attacks. With the new<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#branch-protection\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Branch-Protection<\/a> check, developers can verify that the project enforces mandatory code review from another developer before code is committed. Currently, this check can only be run by a repository admin due to GitHub API limitations. For a third-party repository, use the less informative<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#code-review\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Code-Review<\/a> check instead.<br \/>&nbsp;<br \/><strong>Vulnerable Code:&nbsp;<\/strong>Even with developers and peer review&#8217;s best efforts, bad code can still enter a codebase and remain undetected. That&#8217;s why it&#8217;s important to enable continuous&nbsp;<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#fuzzing\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">fuzzing<\/a>&nbsp;and static code testing to catch bugs early in the development lifecycle. The project now checks to see if a project uses fuzzing and<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#sast\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> SAST<\/a> tools as part of its <a href=\"https:\/\/www.hpe.com\/us\/en\/insights\/articles\/continuous-integration-and-delivery-tool-basics-1807.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">continuous integration\/continuous deployment (CI\/CD) <\/a>pipeline.<\/p>\n<p><strong>Build system compromise:&nbsp;<\/strong>A common CI\/CD solution used by GitHub projects is<a href=\"https:\/\/github.com\/features\/actions\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> GitHub Actions<\/a>. A danger with these action workflows is that they may handle untrusted user input. Meaning, an attacker can craft a malicious pull request to gain access to the privileged GitHub token, and with it the ability to<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/heres-how-a-researcher-broke-into-microsoft-vs-codes-github\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> push malicious code to the repo<\/a> without review. To mitigate this risk, Scorecard&#8217;s<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#token-permissions\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Token-Permissions<\/a> prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.<br \/>&nbsp;<br \/><strong>Bad dependencies:&nbsp;<\/strong>A program is only as secure as its weakest dependency. This may sound obvious, but the first step to knowing our dependencies is simply to declare them&#8230; and have your dependencies declare them too. Armed with this provenance information, you can assess the risks to your programs and mitigate those risks.&nbsp;<br \/>&nbsp;<br \/>That&#8217;s the good news. The bad news is there are several widely used anti-patterns that break this provenance principle. The first of these anti-patterns are checked-in binaries &#8212; as there&#8217;s no way to easily verify or check the contents of the binary in the project. Thanks in particular to the continued use of proprietary drivers, this may be an unavoidable evil. Still, Scorecards provides<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#binary-artifacts\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> a Binary-Artifacts<\/a> check for testing this.<\/p>\n<p>Another anti-pattern is the use of curl or bash in scripts, which dynamically pulls dependencies. Cryptographic hashes let us pin our dependencies to a known value. If this value ever changes, the build system detects it and refuses to build. Pinning dependencies is useful everywhere we have dependencies: Not just during compilation, but also in Dockerfiles, CI\/CD workflows, etc. Scorecards checks for these anti-patterns with the<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#frozen-deps\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Frozen-Deps<\/a> check. This check is helpful for mitigating against malicious dependency attacks such as the recent<a href=\"https:\/\/about.codecov.io\/security-update\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> CodeCov<\/a> attack.<\/p>\n<p>Even with hash-pinning, hashes need to be updated once in a while when dependencies patch vulnerabilities. Tools like<a href=\"https:\/\/docs.github.com\/en\/code-security\/supply-chain-security\/managing-vulnerabilities-in-your-projects-dependencies\/configuring-dependabot-security-updates\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> dependabot<\/a> or<a href=\"https:\/\/github.com\/renovatebot\/renovate\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> renovatebot<\/a> can review and update the hashes. The Scorecards<a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#automatic-dependency-update\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Automated-Dependency-Update<\/a> check verifies that developers rely on such tools to update their dependencies.<\/p>\n<p>It is important to know vulnerabilities in a project before using it as a dependency. Scorecards can provide this information via the new <a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/checks\/checks.md#vulnerabilities\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Vulnerabilities<\/a> check, without subscribing to a vulnerability alert system.<br \/>&nbsp;<br \/>That&#8217;s what new. Here is what the Scorecards project has done so far.&nbsp;<br \/>&nbsp;<br \/>It now has evaluated <a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/cron\/data\/projects.csv\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">security for over 50,000 open source projects<\/a>. To scale this project, its architecture has been massively redesigned. It now uses a <a href=\"https:\/\/cloud.google.com\/pubsub\/docs\/overview\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\">Pub\/Sub<\/a> model. This gives it improved horizontal scalability and higher throughput. This fully automated tool periodically evaluates critical open source projects and exposes the Scorecards check information through weekly updated <a href=\"https:\/\/console.cloud.google.com\/bigquery?p=openssf&amp;page=table&amp;d=scorecardcron&amp;t=scorecard\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\">public BigQuery dataset<\/a>&nbsp;<\/p>\n<section class=\"sharethrough-top\" data-component=\"medusaContentRecommendation\" data-medusa-content-recommendation-options=\"{&quot;promo&quot;:&quot;promo_zd_recommendation_sharethrough_top_in_article_desktop&quot;,&quot;spot&quot;:&quot;dfp-in-article&quot;}\"> <\/section>\n<p>To access this data, you can use the<a href=\"https:\/\/cloud.google.com\/bigquery\/docs\/reference\/bq-cli-reference\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\"> bq command-line tool<\/a>. The following example shows how to export data for the Kubernetes project. For your purposes, substitute the Kubernetes repo url with the one for the program you need to check:<\/p>\n<p>$ bq query &#8211;nouse_legacy_sql &#8216;SELECT Repo, Date, Checks FROM openssf.scorecardcron.scorecard_latest WHERE Repo=&#8221;<a href=\"http:\/\/github.com\/kubernetes\/kubernetes\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">github.com\/kubernetes\/kubernetes<\/a>&#8220;&#8216;<\/p>\n<p>You can also see the <a href=\"https:\/\/github.com\/ossf\/scorecard#public-data\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">latest data on all Scorecards analyzed projects<\/a>. This data is also available in the new<a href=\"https:\/\/opensource.googleblog.com\/2021\/06\/introducing-open-source-insights-project.html\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> Google Open Source Insights<\/a><a href=\"https:\/\/deps.dev\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> project<\/a> and the <a href=\"http:\/\/metrics.openssf.org\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">OpenSSF Security Metrics project<\/a>. The raw data can also be examined via data analysis and visualization tools such as <a href=\"https:\/\/datastudio.google.com\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\">Google Data Studio<\/a>. With the data in CSV format, you can examine it with whatever your favorite data analysis and visualization tool may be.&nbsp;<br \/>&nbsp;<br \/>One thing is clear from all this data. There&#8217;s a lot of security gaps still to fill even in widely used packages<a href=\"https:\/\/deps.dev\/go\/k8s.io%2Fkubernetes\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> such as Kubernetes<\/a>. For example, many projects are not continuously<a href=\"https:\/\/github.com\/google\/oss-fuzz\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> fuzzed<\/a>, don&#8217;t define a security policy for reporting vulnerabilities, and don&#8217;t pin dependencies. According to Google, and frankly, anyone who cares about security: &#8220;We all need to come together as an industry to drive awareness of these widespread security risks, and to make improvements that will benefit everyone.&#8221;<br \/>&nbsp;<br \/>As helpful as Scorecards v2 is, much more work remains to be done. The project now has 23 developers, more would be welcomed.&nbsp; If you would like to join the fun, check out these <a href=\"https:\/\/github.com\/ossf\/scorecard\/issues\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">good first-timer issues<\/a>. These are all accessible via <a href=\"https:\/\/github.com\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">GitHub<\/a>.<\/p>\n<p>If you would like us to help you run Scorecards on specific projects, please <a href=\"https:\/\/github.com\/ossf\/scorecard\/blob\/main\/cron\/data\/projects.csv\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">submit a GitHub pull request to add them<\/a>. Last but not least, Google&#8217;s developers said, &#8220;We have a lot of ideas and<a href=\"https:\/\/github.com\/ossf\/scorecard\/issues?q=is%3Aopen+is%3Aissue+%22new+check%3A%22\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\"> many more checks we&#8217;d like to add<\/a>, but we want to hear from you. Tell us which checks you would like to see in the next version of Scorecards.&#8221;<br \/>&nbsp;<br \/>Looking ahead, the team plans to add:<\/p>\n<p>If I were you, I&#8217;d start using Scorecards immediately. This project can already make your work much safer and it promises to do even more to improve not only security for your programs but the programs it covers.<\/p>\n<h3><strong>Related Stories:<\/strong><\/h3>\n<p> READ MORE <a href=\"https:\/\/www.zdnet.com\/article\/google-releases-new-open-source-security-software-program-scorecards\/#ftag=RSSbaffb68\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How safe is that open-source software in the Git library, the one with the questionable history? Scorecard 2.0 can quickly tell you just how secure, or not, it really is.<br \/>\nREAD MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":41573,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[62],"tags":[],"class_list":["post-41572","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-zdnet-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Google releases new open-source security software program: Scorecards 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Google releases new open-source security software program: Scorecards 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-01T17:39:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/google-releases-new-open-source-security-software-program-scorecards.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"801\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Google releases new open-source security software program: Scorecards\",\"datePublished\":\"2021-07-01T17:39:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/\"},\"wordCount\":1319,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/google-releases-new-open-source-security-software-program-scorecards.jpg\",\"articleSection\":[\"ZDNet | Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/\",\"name\":\"Google releases new open-source security software program: Scorecards 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/google-releases-new-open-source-security-software-program-scorecards.jpg\",\"datePublished\":\"2021-07-01T17:39:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/google-releases-new-open-source-security-software-program-scorecards.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/google-releases-new-open-source-security-software-program-scorecards.jpg\",\"width\":1200,\"height\":801},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/google-releases-new-open-source-security-software-program-scorecards\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Google releases new open-source security software program: Scorecards\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Google releases new open-source security software program: Scorecards 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/","og_locale":"en_US","og_type":"article","og_title":"Google releases new open-source security software program: Scorecards 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-07-01T17:39:00+00:00","og_image":[{"width":1200,"height":801,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/google-releases-new-open-source-security-software-program-scorecards.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Google releases new open-source security software program: Scorecards","datePublished":"2021-07-01T17:39:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/"},"wordCount":1319,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/google-releases-new-open-source-security-software-program-scorecards.jpg","articleSection":["ZDNet | Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/","url":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/","name":"Google releases new open-source security software program: Scorecards 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/google-releases-new-open-source-security-software-program-scorecards.jpg","datePublished":"2021-07-01T17:39:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/google-releases-new-open-source-security-software-program-scorecards.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/google-releases-new-open-source-security-software-program-scorecards.jpg","width":1200,"height":801},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/google-releases-new-open-source-security-software-program-scorecards\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Google releases new open-source security software program: Scorecards"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41572"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41572\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/41573"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}