Google releases updated version of its automated security tool that produces a “risk score” for open source initiatives. The tool has been scaled up to evaluate security criteria for over 50,000 open source projects. New additions include checks for contributions from malicious authors, use of fuzzing, signs of CI/CD compromise, and bad dependencies. Google also notes that a large number of analyzed projects are not continuously fuzzed, and that neither do they define a security policy for reporting vulnerabilities nor do they pin dependencies.
Source: https://thehackernews.com/2021/07/new-google-scorecards-tool-scans-open.html