Repositories list

• malicious-packages

  Public

  ossf/malicious-packages’s past year of commit activity
  A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

  Go

  •

  Apache License 2.0

  •67•423•12•7•Updated Dec 10, 2025Dec 10, 2025

• ossf-landscape

  Public

  ossf/ossf-landscape’s past year of commit activity
  Apache License 2.0

  •27•30•0•1•Updated Dec 10, 2025Dec 10, 2025

• gemara

  Public

  ossf/gemara’s past year of commit activity
  Minimizing rework for governance activities.

  Go

  •

  Apache License 2.0

  •17•31•26•5•Updated Dec 10, 2025Dec 10, 2025

• wg-best-practices-os-developers

  Public

  ossf/wg-best-practices-os-developers’s past year of commit activity
  The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

  JavaScript

  •

  Apache License 2.0

  •185•958•66•7•Updated Dec 10, 2025Dec 10, 2025

• scorecard-action

  Public

  ossf/scorecard-action’s past year of commit activity
  Official GitHub Action for OpenSSF Scorecard.

  githubsecuritysupply-chain+ 2github-actionsopenssf-scorecard

  Go

  •

  Apache License 2.0

  •80•339•27•7•Updated Dec 9, 2025Dec 9, 2025

• scorecard-webapp

  Public

  ossf/scorecard-webapp’s past year of commit activity
  Website and API for OpenSSF Scorecard

  openssf-scorecard

  Go

  •

  Apache License 2.0

  •31•29•31•16•Updated Dec 9, 2025Dec 9, 2025

• scorecard

  Public

  ossf/scorecard’s past year of commit activity
  OpenSSF Scorecard - Security health metrics for Open Source

  scorecardopenssf-scorecard

  Go

  •

  Apache License 2.0

  •592•5.2k•363•7•Updated Dec 9, 2025Dec 9, 2025

• alpha-omega

  Public

  ossf/alpha-omega’s past year of commit activity
  Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.

  securityopensourceopen-source-security

  Open Policy Agent

  •

  Apache License 2.0

  •61•110•0•7•Updated Dec 9, 2025Dec 9, 2025

• osv-schema

  Public

  ossf/osv-schema’s past year of commit activity
  Open Source Vulnerability schema.

  Go

  •

  Apache License 2.0

  •108•217•35•9•Updated Dec 9, 2025Dec 9, 2025

• fuzz-introspector

  Public

  ossf/fuzz-introspector’s past year of commit activity
  Fuzz Introspector -- introspect, extend and optimise fuzzers

  testingsecurityfuzzing+ 3fuzz-testingvulnerability-analysissecurity-research

  Python

  •

  Apache License 2.0

  •77•435•105•4•Updated Dec 8, 2025Dec 8, 2025

• allstar

  Public

  ossf/allstar’s past year of commit activity
  GitHub App to set and enforce security policies

  Go

  •

  Apache License 2.0

  •143•1.4k•60•0•Updated Dec 8, 2025Dec 8, 2025

• tac

  Public

  ossf/tac’s past year of commit activity
  Technical Advisory Council

  Other

  •74•133•37•8•Updated Dec 8, 2025Dec 8, 2025

• ai-ml-security

  Public

  ossf/ai-ml-security’s past year of commit activity
  Working Group on Artificial Intelligence and Machine Learning (AI/ML) Security

  Apache License 2.0

  •23•126•10•0•Updated Dec 5, 2025Dec 5, 2025

• security-baseline

  Public

  ossf/security-baseline’s past year of commit activity
  Go

  •

  Apache License 2.0

  •33•121•55•9•Updated Dec 4, 2025Dec 4, 2025

• wg-globalcyberpolicy

  Public

  ossf/wg-globalcyberpolicy’s past year of commit activity
  Global Cyber Policy Working Group

  Apache License 2.0

  •18•96•11•1•Updated Dec 3, 2025Dec 3, 2025

• wg-supply-chain-integrity

  Public
  Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.

  Apache License 2.0

  •35•195•10•1•Updated Dec 3, 2025Dec 3, 2025

• wg-bear

  Public

  ossf/wg-bear’s past year of commit activity
  The BEAR (Belonging, Empowerment, Allyship, and Representation) WG, formerly DEI, was formed in December 2023 to enhance representation and cybersecurity workforce effectiveness.

  Apache License 2.0

  •4•10•7•1•Updated Dec 2, 2025Dec 2, 2025

• sbom-everywhere

  Public

  ossf/sbom-everywhere’s past year of commit activity
  Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption

  Vue

  •

  Apache License 2.0

  •38•111•22•7•Updated Dec 2, 2025Dec 2, 2025

• criticality_score

  Public
  Gives criticality score for an open source project

  Go

  •

  Apache License 2.0

  •129•1.4k•44•35•Updated Dec 2, 2025Dec 2, 2025

• scorecard-visualizer

  Public

  ossf/scorecard-visualizer’s past year of commit activity
  Tool for visualizing the Open SSF Scorecard Api data in a human friendly way

  openssfopenssf-scorecard

  TypeScript

  •

  Apache License 2.0

  •6•18•1•12•Updated Nov 27, 2025Nov 27, 2025

• SIRT

  Public

  ossf/SIRT’s past year of commit activity
  The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)

  Apache License 2.0

  •6•10•2•0•Updated Nov 20, 2025Nov 20, 2025

• glossary

  Public

  ossf/glossary’s past year of commit activity
  A reference for common terms when talking about OpenSSF and open source software security.

  JavaScript

  •

  Apache License 2.0

  •4•5•2•9•Updated Nov 19, 2025Nov 19, 2025

• scorecard-monitor

  Public

  ossf/scorecard-monitor’s past year of commit activity
  Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts

  securitysecurity-auditsecurity-tools+ 3github-actionsopen-source-managementopenssf-scorecard

  JavaScript

  •

  Apache License 2.0

  •14•40•13•8•Updated Nov 18, 2025Nov 18, 2025

• education

  Public

  ossf/education’s past year of commit activity
  OpenSSF Education SIG

  Apache License 2.0

  •17•18•4•2•Updated Nov 15, 2025Nov 15, 2025

• oss-vulnerability-guide

  Public

  ossf/oss-vulnerability-guide’s past year of commit activity
  A guide on coordinated vulnerability disclosure for open source projects. Includes templates for security policies (security.md) and disclosure notifications.

  Creative Commons Attribution 4.0 International

  •41•131•5•1•Updated Nov 15, 2025Nov 15, 2025

• wg-securing-software-repos

  Public

  ossf/wg-securing-software-repos’s past year of commit activity
  OpenSSF Working Group on Securing Software Repositories

  Other

  •27•123•11•4•Updated Nov 13, 2025Nov 13, 2025

• wg-vulnerability-disclosures

  Public

  ossf/wg-vulnerability-disclosures’s past year of commit activity
  The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.

  Apache License 2.0

  •43•204•35•0•Updated Oct 1, 2025Oct 1, 2025

• wg-orbit

  Public

  ossf/wg-orbit’s past year of commit activity
  ORBIT: Open Resources for Baselines, Interoperability, and Tooling

  Apache License 2.0

  •4•20•10•0•Updated Sep 29, 2025Sep 29, 2025

• artwork

  Public

  ossf/artwork’s past year of commit activity
  OpenSSF Artwork

  Apache License 2.0

  •10•9•0•0•Updated Sep 18, 2025Sep 18, 2025

• security-insights

  Public

  ossf/security-insights’s past year of commit activity
  Machine-readable specification for the attestation of security-relevant data.

  CUE

  •

  Other

  •15•67•10•1•Updated Sep 16, 2025Sep 16, 2025