Repositories list

• malicious-packages

  Public
  A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

  Go

  •

  Apache License 2.0

  •41•313•12•8•Updated Jun 18, 2025Jun 18, 2025

• security-insights-spec

  Public
  Machine-readable specification for the attestation of security-relevant data.

  CUE

  •

  Other

  •14•59•11•1•Updated Jun 18, 2025Jun 18, 2025

• fuzz-introspector

  Public
  Fuzz Introspector -- introspect, extend and optimise fuzzers

  testingsecurityfuzz-testing+ 3vulnerability-analysissecurity-researchfuzzing

  Python

  •

  Apache License 2.0

  •73•418•102•1•Updated Jun 18, 2025Jun 18, 2025

• scorecard-action

  Public
  Official GitHub Action for OpenSSF Scorecard.

  githubsecuritysupply-chain+ 2github-actionsopenssf-scorecard

  Go

  •

  Apache License 2.0

  •74•308•26•4•Updated Jun 17, 2025Jun 17, 2025

• scorecard

  Public
  OpenSSF Scorecard - Security health metrics for Open Source

  scorecardopenssf-scorecard

  Go

  •

  Apache License 2.0

  •546•4.9k•358•6•Updated Jun 17, 2025Jun 17, 2025

• wg-best-practices-os-developers

  Public
  The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

  JavaScript

  •

  Apache License 2.0

  •164•884•65•9•Updated Jun 17, 2025Jun 17, 2025

• ossf-landscape

  Public
  Apache License 2.0

  •27•29•0•0•Updated Jun 17, 2025Jun 17, 2025

• model-signing-spec

  Public
  Model Signing Specification

  Apache License 2.0

  •0•0•0•0•Updated Jun 16, 2025Jun 16, 2025

• security-baseline

  Public
  Go

  •

  Apache License 2.0

  •26•88•34•3•Updated Jun 16, 2025Jun 16, 2025

• tac

  Public
  Technical Advisory Council

  Other

  •67•125•26•7•Updated Jun 16, 2025Jun 16, 2025

• glossary

  Public
  A reference for common terms when talking about OpenSSF and open source software security.

  JavaScript

  •

  Apache License 2.0

  •3•3•2•3•Updated Jun 16, 2025Jun 16, 2025

• secure-sw-dev-fundamentals

  Public
  Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)

  CSS

  •

  Creative Commons Attribution 4.0 International

  •52•197•34•2•Updated Jun 14, 2025Jun 14, 2025

• sbom-everywhere

  Public
  Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption

  Vue

  •

  Apache License 2.0

  •35•93•22•5•Updated Jun 13, 2025Jun 13, 2025

• scorecard-visualizer

  Public
  Tool for visualizing the Open SSF Scorecard Api data in a human friendly way

  openssfopenssf-scorecard

  TypeScript

  •

  Apache License 2.0

  •5•16•1•9•Updated Jun 12, 2025Jun 12, 2025

• wg-globalcyberpolicy

  Public
  Global Cyber Policy Working Group

  Apache License 2.0

  •9•67•10•1•Updated Jun 11, 2025Jun 11, 2025

• alpha-omega

  Public
  Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.

  securityopensourceopen-source-security

  Open Policy Agent

  •

  Apache License 2.0

  •58•105•52•1•Updated Jun 11, 2025Jun 11, 2025

• toolbelt

  Public
  Apache License 2.0

  •5•20•0•0•Updated Jun 10, 2025Jun 10, 2025

• si-tooling

  Public
  Python

  •

  Apache License 2.0

  •3•5•1•1•Updated Jun 10, 2025Jun 10, 2025

• artwork

  Public
  OpenSSF Artwork

  Apache License 2.0

  •9•9•0•0•Updated Jun 9, 2025Jun 9, 2025

• scorecard-webapp

  Public
  Website and API for OpenSSF Scorecard

  openssf-scorecard

  HTML

  •

  Apache License 2.0

  •28•24•34•11•Updated Jun 9, 2025Jun 9, 2025

• allstar

  Public
  GitHub App to set and enforce security policies

  Go

  •

  Apache License 2.0

  •125•1.3k•72•4•Updated Jun 9, 2025Jun 9, 2025

• wg-orbit

  Public
  ORBIT: Open Resources for Baselines, Interoperability, and Tooling

  Apache License 2.0

  •4•13•5•1•Updated Jun 7, 2025Jun 7, 2025

• education

  Public
  OpenSSF Education SIG

  Apache License 2.0

  •15•17•3•0•Updated May 28, 2025May 28, 2025

• SIRT

  Public
  The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)

  Apache License 2.0

  •6•9•2•0•Updated May 27, 2025May 27, 2025

• wg-securing-software-repos

  Public
  OpenSSF Working Group on Securing Software Repositories

  Other

  •21•107•24•3•Updated May 27, 2025May 27, 2025

• osv-schema

  Public
  Open Source Vulnerability schema.

  Go

  •

  Apache License 2.0

  •95•202•29•11•Updated May 27, 2025May 27, 2025

• s2c2f

  Public
  The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

  Other

  •27•208•6•0•Updated May 26, 2025May 26, 2025

• reliable-software-decomposition

  Public
  Reliable Software Decomposition SIG

  Apache License 2.0

  •0•0•0•0•Updated May 20, 2025May 20, 2025

• scorecard-monitor

  Public
  Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts

  securitysecurity-auditsecurity-tools+ 3github-actionsopen-source-managementopenssf-scorecard

  JavaScript

  •

  Apache License 2.0

  •14•35•13•6•Updated May 15, 2025May 15, 2025

• wg-securing-critical-projects

  Public
  Helping allocate resources to secure the critical open source projects we all depend on.

  Apache License 2.0

  •42•355•22•0•Updated May 8, 2025May 8, 2025