Repositories list

• malicious-packages

  Public
  A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

  Go

  •

  Apache License 2.0

  •34•297•10•8•Updated Mar 31, 2025Mar 31, 2025

• allstar

  Public
  GitHub App to set and enforce security policies

  Go

  •

  Apache License 2.0

  •127•1.3k•70•2•Updated Mar 31, 2025Mar 31, 2025

• tac

  Public
  Technical Advisory Council

  Other

  •64•118•19•15•Updated Mar 31, 2025Mar 31, 2025

• scorecard

  Public
  OpenSSF Scorecard - Security health metrics for Open Source

  scorecardopenssf-scorecard

  Go

  •

  Apache License 2.0

  •524•4.8k•349•10•Updated Mar 31, 2025Mar 31, 2025

• scorecard-visualizer

  Public
  Tool for visualizing the Open SSF Scorecard Api data in a human friendly way

  openssfopenssf-scorecard

  TypeScript

  •

  Apache License 2.0

  •5•15•1•11•Updated Mar 31, 2025Mar 31, 2025

• osv-schema

  Public
  Open Source Vulnerability schema.

  Python

  •

  Apache License 2.0

  •93•196•28•10•Updated Mar 31, 2025Mar 31, 2025

• criticality_score

  Public
  Gives criticality score for an open source project

  Go

  •

  Apache License 2.0

  •120•1.4k•42•37•Updated Mar 31, 2025Mar 31, 2025

• ossf-landscape

  Public
  Apache License 2.0

  •27•28•0•0•Updated Mar 30, 2025Mar 30, 2025

• security-insights-spec

  Public
  Machine-readable specification for the attestation of security-relevant data.

  CUE

  •

  Other

  •12•57•6•1•Updated Mar 30, 2025Mar 30, 2025

• security-assessments

  Public
  Apache License 2.0

  •0•0•0•0•Updated Mar 29, 2025Mar 29, 2025

• wg-best-practices-os-developers

  Public
  The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

  JavaScript

  •

  Apache License 2.0

  •154•842•60•8•Updated Mar 28, 2025Mar 28, 2025

• scorecard-webapp

  Public
  Website and API for OpenSSF Scorecard

  openssf-scorecard

  HTML

  •

  Apache License 2.0

  •27•23•32•7•Updated Mar 28, 2025Mar 28, 2025

• Memory-Safety

  Public
  Apache License 2.0

  •13•23•6•0•Updated Mar 28, 2025Mar 28, 2025

• si-tooling

  Public
  Python

  •

  Apache License 2.0

  •3•3•0•3•Updated Mar 28, 2025Mar 28, 2025

• scorecard-action

  Public
  Official GitHub Action for OpenSSF Scorecard.

  githubsecuritysupply-chain+ 2github-actionsopenssf-scorecard

  Go

  •

  Apache License 2.0

  •73•289•26•1•Updated Mar 27, 2025Mar 27, 2025

• sbom-everywhere

  Public
  Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption

  Vue

  •

  Apache License 2.0

  •30•86•27•4•Updated Mar 25, 2025Mar 25, 2025

• alpha-omega

  Public
  Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.

  securityopensourceopen-source-security

  Open Policy Agent

  •

  Apache License 2.0

  •54•93•52•4•Updated Mar 24, 2025Mar 24, 2025

• fuzz-introspector

  Public
  Fuzz Introspector -- introspect, extend and optimise fuzzers

  testingsecurityfuzz-testing+ 3vulnerability-analysissecurity-researchfuzzing

  Python

  •

  Apache License 2.0

  •66•408•98•3•Updated Mar 24, 2025Mar 24, 2025

• glossary

  Public
  JavaScript

  •

  Apache License 2.0

  •1•1•0•7•Updated Mar 21, 2025Mar 21, 2025

• security-baseline

  Public
  Go

  •

  Apache License 2.0

  •20•71•20•1•Updated Mar 20, 2025Mar 20, 2025

• wg-vulnerability-disclosures

  Public
  The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

  Apache License 2.0

  •41•186•25•0•Updated Mar 19, 2025Mar 19, 2025

• secure-sw-dev-fundamentals

  Public
  Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)

  CSS

  •

  Creative Commons Attribution 4.0 International

  •50•194•34•2•Updated Mar 13, 2025Mar 13, 2025

• package-analysis

  Public
  Open Source Package Analysis

  Go

  •

  Apache License 2.0

  •57•823•60•14•Updated Mar 13, 2025Mar 13, 2025

• wg-bear

  Public
  The BEAR (Belonging, Empowerment, Allyship, and Representation) WG, formerly DEI, was formed in December 2023 to enhance representation and cybersecurity workforce effectiveness.

  Apache License 2.0

  •2•6•5•2•Updated Mar 1, 2025Mar 1, 2025

• wg-globalcyberpolicy

  Public
  Global Cyber Policy Working Group

  Apache License 2.0

  •7•35•6•0•Updated Feb 28, 2025Feb 28, 2025

• scorecard-monitor

  Public
  Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts

  securitysecurity-auditsecurity-tools+ 3github-actionsopen-source-managementopenssf-scorecard

  JavaScript

  •

  Apache License 2.0

  •14•33•13•6•Updated Feb 15, 2025Feb 15, 2025

• community

  Public
  Creative Commons Attribution 4.0 International

  •5•8•3•2•Updated Feb 5, 2025Feb 5, 2025

• s2c2f

  Public
  The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

  Other

  •26•204•6•0•Updated Jan 31, 2025Jan 31, 2025

• .github

  Public
  Github configuration

  4•1•0•1•Updated Jan 29, 2025Jan 29, 2025

• foundation

  Public
  OpenSSF Governance and Legal Docs

  Apache License 2.0

  •19•72•0•1•Updated Jan 21, 2025Jan 21, 2025