RepoMetaScore: evaluate supply chain risks of open-source projects

Open-source software saves time on development but should be taken carefully, as the code is in the hands of maintainers and contributors you know nothing about.

The threat of intentionally weaponizing open-source tools by criminals is growing every year. Recently, novel risks have emerged: developers living in oppressed countries are being pushed into introducing backdoors involuntarily.

Backdoors and vulnerabilities introduced into OSS can cause ruinous aftermaths.

One of the ways to prevent them is to employ vulnerability scanners for analyzing third-parties libraries your project uses, but, unfortunately, sometimes they alert too late.

Another option entails identifying and quantifying security risks linked to third-party libraries before adding them to your product.

RepoMetaScore

To help developers avoid risks associated with weaponizing OSS, our security engineers have built a RepoMetaScore. Its a tool that collects information about the project and its contributors, analyzes it, and calculates risk ratings by several criteria: GitHub and Twitter profiles, location, commit history, email domain, etc.

Note, that RepoMetaScore ( GitHub) should not be used as the only tool for assessing open-source repositories credibility. Use it wisely as an additional tool for mitigating current threats in open source.

How RepoMetaScore works

Repometascore uses public information disclosed by contributors themselves. RepoMetaScore collects such info through the APIs and calculates results as a risk rating. It can be the first tool in a series of security checkup developers go through when deciding whether to add a certain project or not.

To use RepoMetaScore, follow its Readme. Its a simple python package that should work on any Unix and Mac.

Provide RepoMetaScore with a link to a repository-in-questionand get the risk rating results and general information about repository contributors.