With Branch-Protection check, developers can verify that the project enforces mandatory code review from another developer before code is committed. Malicious contributors with malicious intent or compromised accounts can introduce potential backdoors into code. Despite best efforts by developers and peer reviews, vulnerable code can enter source control and remain undetected. We have added checks to detect if a project uses Fuzzing and SAST tools as part of their CI/CD system. Scorecards checks for these anti-patterns with the new Frozen-Deps check for malicious dependency attacks.”]
Source: https://security.googleblog.com/2021/07/measuring-security-risks-in-open-source.html