Skip to main content

Register for OpenSSF Community Day Europe

search

Case Study: How LFX Insights and OSPS Baseline Validated GUAC’s Security in Under an Hour

By August 14, 2025Blog, Case Studies

At a Glance

Tools: GUAC, OSPS Baseline, LFX Insights
Challenge: Demonstrating strong security posture quickly and credibly to stakeholders Solution: Leveraging Linux Foundation Insights (LFX Insights) and the Open Source Security Foundation (OpenSSF) Open Source Project Security Baseline (OSPS Baseline) for instant, standards-aligned validation
Result: Saved significant time in verifying security practices, completing an independent standards-based assessment in under 60 minutes

The Challenge

Even for highly secure open source projects, proving security readiness can be a slow and repetitive process. GUAC (Graph for Understanding Artifact Composition) already stood out as a leader in secure software development, tracing and visualizing software supply chain metadata to give a clear picture of dependencies and security status. Validating its readiness to partners, prospective adopters, and the open source community still required multiple conversations, repeated evidence gathering, and one-off assessments.

For OSPO leads and technical executives, this created friction. Maintainers needed a fast, trusted way to show compliance. OSPOs wanted to reduce the repetitive proof burden. C-suite leaders looked for clear, standards-aligned confirmation to reduce procurement delays.

The Solution

OpenSSF General Member Kusari used LFX Insights integrated with the OpenSSF OSPS Baseline to run a rapid, automated assessment of GUAC’s security posture. The Baseline’s standardized, machine-readable security controls mapped to major frameworks like NIST SSDF and the EU Cyber Resilience Act (CRA). In less than an hour, evidence of strong security practices was compiled automatically, results were presented in a clear visual format, and findings were instantly aligned to the needs of auditors, OSPO leads, and procurement teams.

The Results

Within an hour, GUAC’s strong security posture was validated through OSPS Baseline criteria inside LFX Insights, giving Kusari independent and credible confirmation of what they already knew: GUAC is secure.

Mike Lieberman, Co-founder & CTO, Kusari, shared, “We have always been confident in GUAC’s security, but using the OSPS Baseline in LFX Insights gave us independent validation in minutes. It is a game-changer for communicating trust to our downstream consumers and external contributors.”

Eddie Knight, OSPO Technical Program Manager, Sonatype, emphasized the broader impact, saying, “For a project with trained security professionals like GUAC, the big win is that this takes what the maintainers already know about their security and makes it immediately visible in a credible, standards-aligned way. That visibility speeds up adoption and builds confidence from GUAC end users.”

Ben Cotton, Open Source Community Lead, Kusari, added, “From a maintainer’s perspective, having something like Baseline validation means fewer hoops to jump through when someone asks, ‘Is your project secure?’ It saves time and keeps the focus on building instead of re-explaining and demonstrating proof over and over.”

“Having a fast, repeatable way to validate a project’s security posture removes a lot of the overhead in collaboration. It lets teams focus on building and improving software, knowing they can demonstrate their security alignment at any time.” – Mihai Maruseac, Staff Software Engineer, Google

For Kusari, there weren’t any gaps to uncover or address but gaining a trusted stamp of approval makes their strong security posture visible to technical peers, OSPO leads, and executive decision-makers. The result was faster trust, reduced workload, and a smoother path for adoption.

Why It Matters

This pilot application of the Baseline verification validates that even projects already practicing strong security can gain value. The combination of LFX Insights and the OSPS Baseline simplifies compliance proof, increases trust in open source projects, and frees maintainers to focus on innovation rather than repetitive reporting. For the broader open source ecosystem, it is a blueprint for easier, faster, and more credible security assurance.

Join Us

  • Learn more about OSPS Baseline
  • The ORBIT Working Group focused on the OSPS Baseline catalog and supporting tools/automation to implement and assess based on international best practices. Join the ORBIT Working Group to influence best practices and tools
  • Explore GUAC and see the validated results for yourself
  • Share your story of OSPS Baseline adoption email us at marketing@openssf.org