Open source toolsets for open source community governance evaluation and certification. We want to build framework, checklist, knowledge and automotive toolsets for open source communities governance.
Inspired by the following projects and programs:
1. Core Infrastructure Initiative (CII) Best Practices Badge Program
- Intro: The Core Infrastructure Initiative (CII) Best Practices Program is a free program designed with the open source community with criteria that evolves to allow for compensating controls rather than a strict mechanical process.
- Link: https://www.coreinfrastructure.org/programs/best-practices-program/
2. Security Scorecards: - Security health metrics for Open Source
- Intro: Scorecards is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.
- Link: https://github.com/ossf/scorecard
3. SLSA: Supply chain Levels for Software Artifacts
- Intro: It’s a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.
- Link: https://slsa.dev/
4. CHAOSS: Community Health Analytics Open Source Software
- Intro: In CHAOSS, we help people better understand the health of the open source communities that they care about. As open source is now a critical part in nearly everything we do, understanding the health of open source communities is really important.
- Link: https://chaoss.community/