• Stars
    star
    4,323
  • Rank 9,955 (Top 0.2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

OpenSSF Scorecard - Security health metrics for Open Source

OpenSSF Scorecard

OpenSSF Scorecard OpenSSF Best Practices build CodeQL Go Reference Go Report Card codecov SLSA 3 Slack

Overview

Using Scorecard

Checks

Other Important Recommendations

Scoring

Contribute

FAQ

Overview

What is Scorecard?

We created Scorecard to help open source maintainers improve their security best practices and to help open source consumers judge whether their dependencies are safe.

Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.

The inspiration for Scorecard’s logo: "You passed! All D's ... and an A!"

Project Goals

  1. Automate analysis and trust decisions on the security posture of open source projects.

  2. Use this data to proactively improve the security posture of the critical projects the world depends on.

Prominent Scorecard Users

Scorecard has been run on thousands of projects to monitor and track security metrics. Prominent projects that use Scorecard include:

Public Data

We run a weekly Scorecard scan of the 1 million most critical open source projects judged by their direct dependencies and publish the results in a BigQuery public dataset.

This data is available in the public BigQuery dataset openssf:scorecardcron.scorecard-v2. The latest results are available in the BigQuery view openssf:scorecardcron.scorecard-v2_latest.

You can query the data using BigQuery Explorer by navigating to Add Data > Star a project by name > 'openssf'. For example, you may be interested in how a project's score has changed over time:

SELECT date, score FROM `openssf.scorecardcron.scorecard-v2` WHERE repo.name="github.com/ossf/scorecard" ORDER BY date ASC

You can extract the latest results to Google Cloud storage in JSON format using the bq tool:

# Get the latest PARTITION_ID
bq query --nouse_legacy_sql 'SELECT partition_id FROM
openssf.scorecardcron.INFORMATION_SCHEMA.PARTITIONS WHERE table_name="scorecard-v2"
AND partition_id!="__NULL__" ORDER BY partition_id DESC
LIMIT 1'

# Extract to GCS
bq extract --destination_format=NEWLINE_DELIMITED_JSON
'openssf:scorecardcron.scorecard-v2$<partition_id>' gs://bucket-name/filename-*.json

The list of projects that are checked is available in the cron/internal/data/projects.csv file in this repository. If you would like us to track more, please feel free to send a Pull Request with others. Currently, this list is derived from projects hosted on GitHub ONLY. We do plan to expand them in near future to account for projects hosted on other source control systems.

Using Scorecard

Scorecard GitHub Action

The easiest way to use Scorecard on GitHub projects you own is with the Scorecard GitHub Action. The Action runs on any repository change and issues alerts that maintainers can view in the repository’s Security tab. For more information, see the Scorecard GitHub Action installation instructions.

Scorecard REST API

To query pre-calculated scores of OSS projects, use the REST API.

To enable your project to be available on the REST API, set publish_results: true in the Scorecard GitHub Action setting.

Scorecard Badges

Enabling publish_results: true in Scorecard GitHub Actions also allows maintainers to display a Scorecard badge on their repository to show off their hard work. This badge also auto-updates for every change made to the repository. See more details on this OSSF blogpost.

To include a badge on your project's repository, simply add the following markdown to your README:

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})

Scorecard Command Line Interface

To run a Scorecard scan on projects you do not own, use the command line interface installation option.

Prerequisites

Platforms: Currently, Scorecard supports OSX and Linux platforms. If you are using a Windows OS you may experience issues. Contributions towards supporting Windows are welcome.

Language: You must have GoLang installed to run Scorecard (https://golang.org/doc/install)

Installation

Docker

scorecard is available as a Docker container:

docker pull gcr.io/openssf/scorecard:stable

To use a specific scorecard version (e.g., v3.2.1), run:

docker pull gcr.io/openssf/scorecard:v3.2.1
Standalone

To install Scorecard as a standalone:

Visit our latest release page and download the correct zip file for your operating system.

Add the binary to your GOPATH/bin directory (use go env GOPATH to identify your directory if necessary).

Verifying SLSA provenance for downloaded releases

We generate SLSA3 signatures using the OpenSSF's slsa-framework/slsa-github-generator during the release process. To verify a release binary:

  1. Install the verification tool from slsa-framework/slsa-verifier#installation.
  2. Download the signature file attestation.intoto.jsonl from the GitHub releases page.
  3. Run the verifier:
slsa-verifier -artifact-path <the-zip> -provenance attestation.intoto.jsonl -source github.com/ossf/scorecard -tag <the-tag>
Using package managers
Package Manager Supported Distribution Command
Nix NixOS nix-shell -p nixpkgs.scorecard
AUR helper Arch Linux Use your AUR helper to install scorecard
Homebrew macOS or Linux brew install scorecard

Authentication

GitHub imposes api rate limits on unauthenticated requests. To avoid these limits, you must authenticate your requests before running Scorecard. There are two ways to authenticate your requests: either create a GitHub personal access token, or create a GitHub App Installation.

  • Create a classic GitHub personal access token. When creating the personal access token, we suggest you choose the public_repo scope. Set the token in an environment variable called GITHUB_AUTH_TOKEN, GITHUB_TOKEN, GH_AUTH_TOKEN or GH_TOKEN using the commands below according to your platform.
# For posix platforms, e.g. linux, mac:
export GITHUB_AUTH_TOKEN=<your access token>
# Multiple tokens can be provided separated by comma to be utilized
# in a round robin fashion.
export GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>

# For windows:
set GITHUB_AUTH_TOKEN=<your access token>
set GITHUB_AUTH_TOKEN=<your access token1>,<your access token2>

OR

  • Create a GitHub App Installation for higher rate-limit quotas. If you have an installed GitHub App and key file, you can use the three environment variables below, following the commands (set or export) shown above for your platform.
GITHUB_APP_KEY_PATH=<path to the key file on disk>
GITHUB_APP_INSTALLATION_ID=<installation id>
GITHUB_APP_ID=<app id>

These variables can be obtained from the GitHub developer settings page.

Basic Usage

Using repository URL

Scorecard can run using just one argument, the URL of the target repo:

$ scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e
Starting [CII-Best-Practices]
Starting [Fuzzing]
Starting [Pinned-Dependencies]
Starting [CI-Tests]
Starting [Maintained]
Starting [Packaging]
Starting [SAST]
Starting [Dependency-Update-Tool]
Starting [Token-Permissions]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [Binary-Artifacts]
Starting [Branch-Protection]
Starting [Code-Review]
Starting [Contributors]
Starting [Vulnerabilities]
Finished [CI-Tests]
Finished [Maintained]
Finished [Packaging]
Finished [SAST]
Finished [Signed-Releases]
Finished [Binary-Artifacts]
Finished [Branch-Protection]
Finished [Code-Review]
Finished [Contributors]
Finished [Dependency-Update-Tool]
Finished [Token-Permissions]
Finished [Security-Policy]
Finished [Vulnerabilities]
Finished [CII-Best-Practices]
Finished [Fuzzing]
Finished [Pinned-Dependencies]

RESULTS
-------
Aggregate score: 7.9 / 10

Check scores:
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                         DOCUMENTATION/REMEDIATION                         |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  | github.com/ossf/scorecard/blob/main/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10  | Branch-Protection      | branch protection is not       | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all |                                                                           |
|         |                        | release branches               |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ?       | CI-Tests               | no pull request found          | github.com/ossf/scorecard/blob/main/docs/checks.md#ci-tests               |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | CII-Best-Practices     | no badge found                 | github.com/ossf/scorecard/blob/main/docs/checks.md#cii-best-practices     |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Code-Review            | branch protection for default  | github.com/ossf/scorecard/blob/main/docs/checks.md#code-review            |
|         |                        | branch is enabled              |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Contributors           | 0 different companies found -- | github.com/ossf/scorecard/blob/main/docs/checks.md#contributors           |
|         |                        | score normalized to 0          |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Dependency-Update-Tool | no update tool detected        | github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Fuzzing                | project is not fuzzed in       | github.com/ossf/scorecard/blob/main/docs/checks.md#fuzzing                |
|         |                        | OSS-Fuzz                       |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 1 / 10  | Maintained             | 2 commit(s) found in the last  | github.com/ossf/scorecard/blob/main/docs/checks.md#maintained             |
|         |                        | 90 days -- score normalized to |                                                                           |
|         |                        | 1                              |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ?       | Packaging              | no published package detected  | github.com/ossf/scorecard/blob/main/docs/checks.md#packaging              |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 8 / 10  | Pinned-Dependencies    | unpinned dependencies detected | github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies    |
|         |                        | -- score normalized to 8       |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | SAST                   | no SAST tool detected          | github.com/ossf/scorecard/blob/main/docs/checks.md#sast                   |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 0 / 10  | Security-Policy        | security policy file not       | github.com/ossf/scorecard/blob/main/docs/checks.md#security-policy        |
|         |                        | detected                       |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| ?       | Signed-Releases        | no releases found              | github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases        |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Token-Permissions      | tokens are read-only in GitHub | github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions      |
|         |                        | workflows                      |                                                                           |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities        | no vulnerabilities detected    | github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities        |
|---------|------------------------|--------------------------------|---------------------------------------------------------------------------|
Docker

The GITHUB_AUTH_TOKEN has to be set to a valid token

docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/ossf/scorecard

To use a specific scorecard version (e.g., v3.2.1), run:

docker run -e GITHUB_AUTH_TOKEN=token gcr.io/openssf/scorecard:v3.2.1 --show-details --repo=https://github.com/ossf/scorecard
Showing Detailed Results

For more details about why a check fails, use the --show-details option:

./scorecard --repo=github.com/ossf-tests/scorecard-check-branch-protection-e2e --checks Branch-Protection --show-details
Starting [Pinned-Dependencies]
Finished [Pinned-Dependencies]

RESULTS
-------
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |            DETAILS             |                         DOCUMENTATION/REMEDIATION                         |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
| 9 / 10  | Branch-Protection      | branch protection is not       | Info: 'force pushes' disabled  | github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all | on branch 'main' Info: 'allow  |                                                                           |
|         |                        | release branches               | deletion' disabled on branch   |                                                                           |
|         |                        |                                | 'main' Info: linear history    |                                                                           |
|         |                        |                                | enabled on branch 'main' Info: |                                                                           |
|         |                        |                                | strict status check enabled    |                                                                           |
|         |                        |                                | on branch 'main' Warn: status  |                                                                           |
|         |                        |                                | checks for merging have no     |                                                                           |
|         |                        |                                | specific status to check on    |                                                                           |
|         |                        |                                | branch 'main' Info: number     |                                                                           |
|         |                        |                                | of required reviewers is 2     |                                                                           |
|         |                        |                                | on branch 'main' Info: Stale   |                                                                           |
|         |                        |                                | review dismissal enabled on    |                                                                           |
|         |                        |                                | branch 'main' Info: Owner      |                                                                           |
|         |                        |                                | review required on branch      |                                                                           |
|         |                        |                                | 'main' Info: 'admininistrator' |                                                                           |
|         |                        |                                | PRs need reviews before being  |                                                                           |
|         |                        |                                | merged on branch 'main'        |                                                                           |
|---------|------------------------|--------------------------------|--------------------------------|---------------------------------------------------------------------------|
Using GitHub Enterprise Server (GHES) based Repository

To use a GitHub Enterprise host github.corp.com, use the GH_HOST environment variable.

# Set the GitHub Enterprise host without https prefix or slash with relevant authentication token
export GH_HOST=github.corp.com
export GITHUB_AUTH_TOKEN=token

scorecard --repo=github.corp.com/org/repo
# OR without github host url
scorecard --repo=org/repo
Using a Package manager

For projects in the --npm, --pypi, --rubygems, or --nuget ecosystems, you have the option to run Scorecard using a package manager. Provide the package name to run the checks on the corresponding GitHub source code.

For example, --npm=angular.

Running specific checks

To run only specific check(s), add the --checks argument with a list of check names.

For example, --checks=CI-Tests,Code-Review.

Formatting Results

The currently supported formats are default (text) and json.

These may be specified with the --format flag. For example, --format=json.

Checks

Scorecard Checks

The following checks are all run against the target project by default:

Name Description Risk Level Token Required GitLab Support Note
Binary-Artifacts Is the project free of checked-in binaries? High PAT, GITHUB_TOKEN Supported
Branch-Protection Does the project use Branch Protection ? High PAT (repo or repo> public_repo), GITHUB_TOKEN Supported (see notes) certain settings are only supported with a maintainer PAT
CI-Tests Does the project run tests in CI, e.g. GitHub Actions, Prow? Low PAT, GITHUB_TOKEN Supported
CII-Best-Practices Has the project earned an OpenSSF (formerly CII) Best Practices Badge at the passing, silver, or gold level? Low PAT, GITHUB_TOKEN Validating
Code-Review Does the project practice code review before code is merged? High PAT, GITHUB_TOKEN Validating
Contributors Does the project have contributors from at least two different organizations? Low PAT, GITHUB_TOKEN Validating
Dangerous-Workflow Does the project avoid dangerous coding patterns in GitHub Action workflows? Critical PAT, GITHUB_TOKEN Unsupported
Dependency-Update-Tool Does the project use tools to help update its dependencies? High PAT, GITHUB_TOKEN Unsupported
Fuzzing Does the project use fuzzing tools, e.g. OSS-Fuzz, QuickCheck or fast-check? Medium PAT, GITHUB_TOKEN Validating
License Does the project declare a license? Low PAT, GITHUB_TOKEN Validating
Maintained Is the project at least 90 days old, and maintained? High PAT, GITHUB_TOKEN Validating
Pinned-Dependencies Does the project declare and pin dependencies? Medium PAT, GITHUB_TOKEN Validating
Packaging Does the project build and publish official packages from CI/CD, e.g. GitHub Publishing ? Medium PAT, GITHUB_TOKEN Validating
SAST Does the project use static code analysis tools, e.g. CodeQL, LGTM (deprecated), SonarCloud? Medium PAT, GITHUB_TOKEN Unsupported
Security-Policy Does the project contain a security policy? Medium PAT, GITHUB_TOKEN Validating
Signed-Releases Does the project cryptographically sign releases? High PAT, GITHUB_TOKEN Validating
Token-Permissions Does the project declare GitHub workflow tokens as read only? High PAT, GITHUB_TOKEN Unsupported
Vulnerabilities Does the project have unfixed vulnerabilities? Uses the OSV service. High PAT, GITHUB_TOKEN Validating
Webhooks Does the webhook defined in the repository have a token configured to authenticate the origins of requests? Critical maintainer PAT (admin: repo_hook or admin> read:repo_hook doc EXPERIMENTAL

Detailed Checks Documentation

To see detailed information about each check, its scoring criteria, and remediation steps, check out the checks documentation page.

Other Important Recommendations

Two-factor Authentication (2FA)

Two-factor Authentication (2FA) adds an extra layer of security when logging into websites or apps. 2FA protects your account if your password is compromised by requiring a second form of authentication, such as codes sent via SMS or authentication app, or touching a physical security key.

We strongly recommend that you enable 2FA on GitHub and any important account where it is available. 2FA is not a Scorecard check because GitHub does not make that data about user accounts public. Arguably, this data should always remain private, since accounts without 2FA are so vulnerable to attack.

Though it is not an official check, we urge all project maintainers to enable 2FA to protect their projects from compromise.

Enabling 2FA

For users

Follow the steps described at Configuring two-factor authentication

If possible, use either:

  • physical security key (preferred), such as Titan or Yubikey
  • recovery codes, stored in an access protected and encrypted vault

As a last option, use SMS. Beware: 2FA using SMS is vulnerable to SIM swap attack.

For an organization
  1. Prepare to require 2FA in your organization
  2. Require 2FA in your organization

Scoring

Aggregate Score

Each individual check returns a score of 0 to 10, with 10 representing the best possible score. Scorecard also produces an aggregate score, which is a weight-based average of the individual checks weighted by risk.

  • β€œCritical” risk checks are weighted at 10
  • β€œHigh” risk checks are weighted at 7.5
  • β€œMedium” risk checks are weighted at 5
  • β€œLow” risk checks are weighted at 2.5

See the list of current Scorecard checks for each check's risk level.

Contribute

Report Problems

If you have what looks like a bug, please use the Github issue tracking system. Before you file an issue, please search existing issues to see if your issue is already covered.

Contribute to Scorecard

Before contributing, please follow our Code of Conduct.

See the Contributing documentation for guidance on how to contribute to the project.

Adding a Scorecard Check

If you'd like to add a check, please see guidance here.

Connect with the Scorecard Community

If you want to get involved in the Scorecard community or have ideas you'd like to chat about, we discuss this project in the OSSF Best Practices Working Group meetings.

Artifact Link
Scorecard Dev Forum ossf-scorecard-dev@
Scorecard Announcements Forum ossf-scorecard-announce@
Community Meeting VC Link to z o o m meeting
Community Meeting Calendar Biweekly Thursdays, 1:00pm-2:00pm PST
Calendar
Meeting Notes Notes
Slack Channel #security_scorecards

Maintainers are listed in the CODEOWNERS file.

Report a Security Issue

To report a security issue, please follow instructions here.

Join the Scorecards Project Meeting

Zoom

We meet every other Thursday - 4p ET on this zoom link.

Agenda

You can see the agenda and meeting notes here.

Stargazers over time

Stargazers over time

FAQ

FAQ

See the FAQ for answers to Frequently Asked Questions about Scorecard.

More Repositories

1

criticality_score

Gives criticality score for an open source project
Go
1,307
star
2

allstar

GitHub App to set and enforce security policies
Go
1,232
star
3

package-analysis

Open Source Package Analysis
Go
718
star
4

wg-best-practices-os-developers

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
JavaScript
689
star
5

fuzz-introspector

Fuzz Introspector -- introspect, extend and optimise fuzzers
Python
359
star
6

wg-securing-critical-projects

Helping allocate resources to secure the critical open source projects we all depend on.
318
star
7

wg-security-tooling

OpenSSF Security Tooling Working Group
295
star
8

scorecard-action

Official GitHub Action for OpenSSF Scorecard.
Go
244
star
9

malicious-packages

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Go
229
star
10

wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
222
star
11

wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
177
star
12

wg-supply-chain-integrity

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
176
star
13

s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
173
star
14

osv-schema

Open Source Vulnerability schema.
Python
173
star
15

secure-sw-dev-fundamentals

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
CSS
168
star
16

package-manager-best-practices

Collection of security best practices for package managers.
157
star
17

census

πŸ“œAutomated review of open source software projects
HTML
116
star
18

tac

Technical Advisory Council
106
star
19

security-reviews

A community collection of security reviews of open source software components.
Python
91
star
20

wg-securing-software-repos

OpenSSF Working Group on Securing Software Repositories
84
star
21

alpha-omega

Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.
Open Policy Agent
77
star
22

package-feeds

Feed parsing for language package manager updates
Go
72
star
23

sbom-everywhere

Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Vue
70
star
24

foundation

OpenSSF Governance and Legal Docs
68
star
25

Project-Security-Metrics

Collect, curate, and communicate relevant security metrics for open source projects.
Python
63
star
26

great-mfa-project

The Great Multi-Factor Authentication (MFA) Distribution Project of the Open Source Security Foundation (OpenSSF). We work to distribute hardware MFA tokens to critical open source software (OSS) projects.
52
star
27

security-insights-spec

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.
48
star
28

ai-ml-security

Potential WG on Artificial Intelligence and Machine Learning (AI/ML)
43
star
29

scorecard-monitor

Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts
JavaScript
31
star
30

wg-endusers

OpenSSF Endusers Working Group
28
star
31

ossf-landscape

26
star
32

scorecard-webapp

Website and API for OpenSSF Scorecard
HTML
21
star
33

DevRel-community

Evangelizing the mission and work of the OpenSSF and building strong community outreach around end-users, open-source maintainers, and contributors.
18
star
34

toolbelt

17
star
35

education

OpenSSF Education SIG
16
star
36

project-template

OpenSSF Project Template
16
star
37

Memory-Safety

15
star
38

omega-triage-portal

Python
13
star
39

scorecard-visualizer

Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
TypeScript
12
star
40

Diagrammers-Society

OpenSSF Diagrammers Society
10
star
41

OpenVEX

Vuln Disclosure WG's new SIG
9
star
42

SIRT

The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)
9
star
43

community

7
star
44

artwork

OpenSSF Artwork
7
star
45

gb-planning-committee

The Governing Board Planning Committee guides OpenSSF vision and planning including mission, roadmap, milestones and key metrics for success of the overall organization.
6
star
46

oss-researcher-vulnerability-guide

5
star
47

oss-compromises

Archive of various open source security compromises
5
star
48

github-org-access-scraper

GitHub lacks an API for listing an org's repos' access for non-team-based individuals, so, scrape it.
5
star
49

vulnerability-disclosures-whitepaper

4
star
50

S2C2F-attestation-schema-and-tool

Secure Supply Chain Consumption Framework (S2C2F) OSCAL Catalog and tool
Python
4
star
51

Governance-Committee

Governance Committee
3
star
52

disclosure-check

disclosure-check
Python
3
star
53

wg-dei

The Diversity, Equity, and Inclusion Working Group was formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce.
3
star
54

si-tooling

Python
3
star
55

security-metrics-dashboard

3
star
56

homebrew-tap

2
star
57

open-auto-vuln-disclose

open-auto-vuln-disclose
Python
2
star
58

omega-moderne-client

Python
2
star
59

outreach

A place to connect about event and conference engagements
1
star
60

action-web-defn-check

GitHub action for checking a Web Application Definition file
1
star
61

.github

Github configuration
1
star
62

oss-analysis-census2-prototype

Prototype of Census 2 of open source software (NOT MAINTAINED)
Python
1
star
63

scorecard-dependencyanalysis

Scorecard action for checking when new dependencies are added to the repository.
Go
1
star