Open Source Security Foundation (OpenSSF)

All

75 repositories

security-baseline
Public
Go
•
Apache License 2.0
•37•140•56•14•Updated Jan 29, 2026Jan 29, 2026
malicious-packages
Public
A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.
Go
•
Apache License 2.0
•72•442•14•5•Updated Jan 29, 2026Jan 29, 2026
osv-schema
Public
Open Source Vulnerability schema.
Go
•
Apache License 2.0
•111•229•47•2•Updated Jan 29, 2026Jan 29, 2026
ossf-landscape
Public
Apache License 2.0
•27•30•0•0•Updated Jan 28, 2026Jan 28, 2026
wg-best-practices-os-developers
Public
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
JavaScript
•
Apache License 2.0
•186•982•67•11•Updated Jan 27, 2026Jan 27, 2026
scorecard
Public
OpenSSF Scorecard - Security health metrics for Open Source
scorecard openssf-scorecard
Go
•
Apache License 2.0
•604•5.2k•359•25•Updated Jan 26, 2026Jan 26, 2026
scorecard-action
Public
Official GitHub Action for OpenSSF Scorecard.
github security supply-chain github-actions openssf-scorecard
Go
•
Apache License 2.0
•82•356•28•12•Updated Jan 26, 2026Jan 26, 2026
scorecard-webapp
Public
Website and API for OpenSSF Scorecard
openssf-scorecard
Go
•
Apache License 2.0
•30•28•31•24•Updated Jan 26, 2026Jan 26, 2026
wg-bear
Public
The BEAR (Belonging, Empowerment, Allyship, and Representation) WG, formerly DEI, was formed in December 2023 to enhance representation and cybersecurity workforce effectiveness.
Apache License 2.0
•5•11•8•2•Updated Jan 26, 2026Jan 26, 2026
fuzz-introspector
Public
Fuzz Introspector -- introspect, extend and optimise fuzzers
testing security fuzzing fuzz-testing vulnerability-analysis security-research
Python
•
Apache License 2.0
•78•445•107•7•Updated Jan 26, 2026Jan 26, 2026
allstar
Public
GitHub App to set and enforce security policies
Go
•
Apache License 2.0
•144•1.4k•61•3•Updated Jan 26, 2026Jan 26, 2026
cve-bin-tool
Public
The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
python security vulnerability vulnerabilities cve hacktoberfest cvss security-automation security-tools devsecops
Python
•
GNU General Public License v3.0
•599•1.6k•158•71•Updated Jan 26, 2026Jan 26, 2026
scorecard-monitor
Public
Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts
security security-audit security-tools github-actions open-source-management openssf-scorecard
JavaScript
•
Apache License 2.0
•14•42•13•9•Updated Jan 22, 2026Jan 22, 2026
sbom-everywhere
Public
Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption
Vue
•
Apache License 2.0
•41•110•22•10•Updated Jan 22, 2026Jan 22, 2026
tac
Public
Technical Advisory Council
Other
•75•133•39•12•Updated Jan 21, 2026Jan 21, 2026
sig-basejump
Public
Apache License 2.0
•0•0•0•0•Updated Jan 20, 2026Jan 20, 2026
wg-supply-chain-integrity
Public
Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
Apache License 2.0
•35•195•11•1•Updated Jan 15, 2026Jan 15, 2026
alpha-omega
Public
Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.
security opensource open-source-security
Open Policy Agent
•
Apache License 2.0
•63•111•0•1•Updated Jan 13, 2026Jan 13, 2026
security-insights
Public
Machine-readable specification for the attestation of security-relevant data.
Go
•
Other
•15•71•5•3•Updated Jan 6, 2026Jan 6, 2026
wg-orbit
Public
ORBIT: Open Resources for Baselines, Interoperability, and Tooling
Apache License 2.0
•4•21•6•0•Updated Jan 3, 2026Jan 3, 2026
secure-sw-dev-fundamentals
Public
Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)
CSS
•
Creative Commons Attribution 4.0 International
•51•199•34•3•Updated Dec 22, 2025Dec 22, 2025
ai-ml-security
Public
Working Group on Artificial Intelligence and Machine Learning (AI/ML) Security
Apache License 2.0
•22•141•11•0•Updated Dec 19, 2025Dec 19, 2025
wg-securing-software-repos
Public
OpenSSF Working Group on Securing Software Repositories
Other
•29•125•11•4•Updated Dec 18, 2025Dec 18, 2025
wg-globalcyberpolicy
Public
Global Cyber Policy Working Group
Apache License 2.0
•19•100•13•2•Updated Dec 3, 2025Dec 3, 2025
criticality_score
Public
Gives criticality score for an open source project
Go
•
Apache License 2.0
•130•1.4k•45•35•Updated Dec 2, 2025Dec 2, 2025
scorecard-visualizer
Public
Tool for visualizing the Open SSF Scorecard Api data in a human friendly way
openssf openssf-scorecard
TypeScript
•
Apache License 2.0
•6•18•1•12•Updated Nov 27, 2025Nov 27, 2025
SIRT
Public
The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)
Apache License 2.0
•6•10•2•0•Updated Nov 20, 2025Nov 20, 2025
glossary
Public
A reference for common terms when talking about OpenSSF and open source software security.
JavaScript
•
Apache License 2.0
•5•4•2•10•Updated Nov 19, 2025Nov 19, 2025
education
Public
OpenSSF Education SIG
Apache License 2.0
•17•18•5•2•Updated Nov 15, 2025Nov 15, 2025
oss-vulnerability-guide
Public
A guide on coordinated vulnerability disclosure for open source projects. Includes templates for security policies (security.md) and disclosure notifications.
Creative Commons Attribution 4.0 International
•42•135•5•1•Updated Nov 15, 2025Nov 15, 2025