ossf GitHub ↗

In-Org Review Champions

#1 @naveensrinivasan 2.0k reviews #2 @spencerschrock 1.7k reviews #3 @laurentsimon 1.5k reviews #4 @azeemshaikh38 1.3k reviews #5 @justaugustus 452 reviews #6 @inferno-chromium 377 reviews #7 @SecurityCRob 357 reviews #8 @AdamKorcz 338 reviews #9 @jeffmendoza 310 reviews #10 @raghavkaul 305 reviews

In-Org Gatekeepers

#1 @justaugustus 32 blocks #2 @azeemshaikh38 29 blocks #3 @jeffmendoza 16 blocks #4 @lehors 16 blocks #5 @marcelamelara 14 blocks #6 @funnelfiasco 14 blocks #7 @naveensrinivasan 10 blocks #8 @spencerschrock 7 blocks #9 @eddie-knight 6 blocks #10 @inferno-chromium 5 blocks

Repos

scorecard Go 5.3k stars done

OpenSSF Scorecard - Security health metrics for Open Source

2938 merged PRs · avg 3 days · fastest 0m
scorecard-webapp Go 28 stars done

Website and API for OpenSSF Scorecard

636 merged PRs · avg 5 days · fastest 0m
scorecard-action Go 360 stars done

Official GitHub Action for OpenSSF Scorecard.

595 merged PRs · avg 3 days · fastest 0m
allstar Go 1.4k stars done

GitHub App to set and enforce security policies

415 merged PRs · avg 8 days · fastest 0m
tac 135 stars done

Technical Advisory Council

288 merged PRs · avg 17 days · fastest 0m
security-baseline Go 141 stars done
274 merged PRs · avg 6 days · fastest 2m
malicious-packages Go 459 stars error

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
fuzz-introspector Python 447 stars error

Fuzz Introspector -- introspect, extend and optimise fuzzers
wg-securing-critical-projects 386 stars error

Helping allocate resources to secure the critical open source projects we all depend on.
wg-security-tooling 320 stars error

OpenSSF Security Tooling Working Group
s2c2f 227 stars error

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

wg-metrics-and-metadata 223 stars error

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
wg-vulnerability-disclosures 213 stars error

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
secure-sw-dev-fundamentals CSS 199 stars error

Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
wg-best-practices-os-developers JavaScript 990 stars error

The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
cve-bin-tool Python 1.6k stars error

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
criticality_score Go 1.4k stars error

Gives criticality score for an open source project
wg-supply-chain-integrity 197 stars error

Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
package-manager-best-practices 164 stars error

Collection of security best practices for package managers.
ai-ml-security 146 stars error

Working Group on Artificial Intelligence and Machine Learning (AI/ML) Security
package-analysis Go 863 stars error

Open Source Package Analysis