Projects are OpenSSF Technical Initiatives that support the innovative delivery of security tooling and best practices to secure critical open source software.
Allstar
Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices.
Learn More
Best Practices Badge
The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.
Learn More
Criticality Score
The Criticality Score gives criticality score for an open source project.
Learn More
Fuzz introspector
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.
Learn More
gittuf
gittuf provides a security layer for Git using some concepts introduced by The Update Framework (TUF).
Learn More
GUAC
GUAC gives you directed, actionable insights into the security of your software supply chain.
Learn More
OpenVEX
OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
Learn More
Package Analysis
The Package Analysis project analyses the capabilities of packages available on open source repositories.
Learn More
Protobom
Protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss.
Learn More
Repository Service for TUF
Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
Learn More
SBOMit
The SBOMit specification is a SBOM format independent method for attesting components with additional verification information.
Learn More
Scorecard
Scorecard assesses open source projects for security risks through a series of automated checks It was created by OSS developers to help improve the health of critical projects that the community depends on. You can use it to proactively assess and make informed decisions about accepting security risks within your…
Learn More
Security Insights Spec
This specification provides a mechanism for projects to report information about their security in a machine-processable way.
Learn More
Security Metrics
The purpose of Security Metrics is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.
Learn More
SLSA
SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.
Learn More