Skip to main content

Projects are OpenSSF Technical Initiatives that support the innovative delivery of security tooling and best practices to secure critical open source software.

Allstar

Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices.

Learn More

Best Practices Badge

The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.

Learn More

Criticality Score

The Criticality Score gives criticality score for an open source project.

Learn More

Fuzz introspector

Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.

Learn More

gittuf

gittuf provides a security layer for Git using some concepts introduced by The Update Framework (TUF).

Learn More

GUAC

GUAC gives you directed, actionable insights into the security of your software supply chain.

Learn More

OpenSSF Scorecard

OpenSSF Scorecard assesses open source projects for security risks through a series of automated checks It was created by OSS developers to help improve the health of critical projects that the community depends on. You can use it to proactively assess and make informed decisions about accepting security risks within…

Learn More

OpenVEX

OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.

Learn More

OSV Schema

Open Source Vulnerability schema (OSV Schema)

Learn More

Package Analysis

The Package Analysis project analyses the capabilities of packages available on open source repositories.

Learn More

Package Feeds

The Package Feeds is a feed parsing for language package manager updates. 

Learn More

Protobom

Protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss.

Learn More

Repository Service for TUF

Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).

Learn More

S2C2F

The S2C2F SIG was formed to further develop and continuously improve the S2C2F guide

Learn More

SBOMit

The SBOMit specification is a SBOM format independent method for attesting components with additional verification information.

Learn More

Security Insights Spec

This specification provides a mechanism for projects to report information about their security in a machine-processable way.

Learn More

Security Metrics

The purpose of Security Metrics is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.

Learn More

sigstore

sigstore is a standard for signing, verifying, and protecting software.

Learn More

SLSA

SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.

Learn More