Microsoft believes that many .NET packages can be improved to boost the overall security of the .NET ecosystem. It urges developers to use the Open Source Security Foundation’s (OpenSSF) OpenSSF Scorecard for this purpose.
Microsoft advises improving .NET packages based on its own survey of more than a thousand C# and F# repositories. This survey shows that many Popular .NET packages have low scores regarding the health status of the packages. This could potentially impact the overall security of the entire .NET ecosystem.
OpenSSF Scorecard
According to the tech giant, developers can use The Open Source Security Foundation’s (OpenSSF) OpenSSF Scorecard tool to check their .NET packages and now also .NET NuGet packages. This tool runs entirely automated security assessments in code repositories.
The tool does not look directly at code errors that cause vulnerabilities but rather at a project’s overall health status from a security perspective. To achieve this, it runs about 20 different checks for different factors.
Checks performed
These include whether code reviews are needed before merging pull requests, whether there are dangerous patterns in GitHub Action workflows, how active a particular project is, and whether there are pinned dependencies attached to specific versions of the code and, ideally, verified with a hash. Another check the tool performs is whether a project signs cryptographic releases.
As mentioned above, the OpenSSF Scorecard also supports more options for .NET NuGet packages these days. Recent updates include checks for pinned dependencies when restoring packages using a lock file and Central Package Management.
GitHub is the best-supported repository host, but the OpenSSF Scorecard also works with GitLab, according to Microsoft.
Also read: .NET 9 already available in preview Microsoft Visual Studio