Projects are OpenSSF Technical Initiatives that support the innovative delivery of security tooling and best practices to secure critical open source software.
Allstar
Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices.
Learn MoreBest Practices Badge
The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.
Learn MoreCriticality Score
The Criticality Score gives criticality score for an open source project.
Learn MoreFuzz introspector
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.
Learn Moregittuf
gittuf provides a security layer for Git using some concepts introduced by The Update Framework (TUF).
Learn MoreGUAC
GUAC gives you directed, actionable insights into the security of your software supply chain.
Learn MoreOpenVEX
OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
Learn MorePackage Analysis
The Package Analysis project analyses the capabilities of packages available on open source repositories.
Learn MoreProtobom
Protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss.
Learn MoreRepository Service for TUF
Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
Learn MoreSBOMit
The SBOMit specification is a SBOM format independent method for attesting components with additional verification information.
Learn MoreScorecard
Scorecard assesses open source projects for security risks through a series of automated checks It was created by OSS developers to help improve the health of critical projects that the community depends on. You can use it to proactively assess and make informed decisions about accepting security risks within your…
Learn MoreSecurity Insights Spec
This specification provides a mechanism for projects to report information about their security in a machine-processable way.
Learn MoreSecurity Metrics
The purpose of Security Metrics is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.
Learn MoreSLSA
SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.
Learn More