28 projects
Meet us in Atlanta for KubeCon + CloudNativeCon North America · Nov 10-13 · REGISTER TODAY
Open Source Security Foundation (OpenSSF)
The Open Source Security Foundation (OpenSSF) is a collaborative initiative under the Linux Foundation, dedicated to improving security in open-source software. It brings together industry leaders, developers, and security experts to address vulnerabilities and enhance the supply chain security of open-source projects.
7,853 contributors
$265M
Most contributors
Sigstore
sigstore empowers software maintainers to easily sign software artifacts and store those artifacts into a production grade public transparency log.
Contributors
2,083
Organizations
611
Software value
$18M
Open Source Security Foundation (OpenSSF)
The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices, including addressing vulnerability disclosures, security tooling and more.
Contributors
1,544
Organizations
462
Software value
$160M
OpenSSF Scorecard
Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10.
Contributors
787
Organizations
275
Software value
$4.4M
Zarf
The mission of the Project is to eliminate the complexity of software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.
Contributors
510
Organizations
95
Software value
$2.4M
GUAC
The mission of the GUAC project is to develop tools to understand relationships among software components through analysis of software metadata.
Contributors
395
Organizations
102
Software value
$49M
Repository Service for TUF
Repository Service for TUF (RSTUF) is a system for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
Contributors
357
Organizations
158
Software value
$789K
Allstar
Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices. If Allstar detects a security policy violation, it creates an issue to alert the repository or organization owner. For some security policies, Allstar can also automatically change the project setting that caused the violation, reverting it to the expected state.
Contributors
336
Organizations
53
Software value
$527K
Vulnerability Disclosures Working Group
The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
Contributors
280
Organizations
114
Software value
$1.6M
Best Practices For OSS Developers Working Group
The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.
Contributors
254
Organizations
116
Software value
$4.9M
SLSA
Supply-chain Levels for Software Artifacts ("SLSA", pronounced "salsa") is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity.
Contributors
240
Organizations
66
Software value
$8.7M
Security Software Repositories Working Group
This group provides a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories.
Contributors
232
Organizations
83
Software value
$2.2M
Alpha-Omega
Alpha is collaborative in nature, targeting and evaluating the most critical open source projects to help them improve their security postures. Omega uses automated methods and tools to identify critical security vulnerabilities across at least 10,000 widely-deployed open source projects.
Contributors
160
Organizations
37
Software value
$968K
gittuf
The mission of the gittuf project is to provide a security layer for Git using some concepts introduced by The Update Framework (TUF).
Contributors
122
Organizations
34
Software value
$1.5M
Security Tooling Working Group
The purpose of the Security Tooling Working Group of the OpenSSF is to Identify, Evaluate, Improve, Develop & Ease Deployment of universally-accessible, developer focused tooling to help the open source community secure their code.
Contributors
112
Organizations
73
Software value
$382K
Criticality Score
The mission of the Project is to generate criticality scores for open source projects, in order to identify critical projects the open source community depends on so these projects can be proactively secured.
Contributors
103
Organizations
38
Software value
$339K
Protobom
protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss. It has an accompanying Go library generated from the protocol buffers definiton that also implements ingesters for those formats.
Contributors
68
Organizations
26
Software value
$8.3M
Edu.sig
Edu.sig is a Linux Foundation project focused on advancing open source educational technologies and standards to improve digital learning environments and promote collaborative development in educational software.
Contributors
53
Organizations
22
Software value
$601K
S2C2F
This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer's workflow.
Contributors
44
Organizations
19
Software value
$176K
Supply Chain Integrity Working Group
Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.
Contributors
43
Organizations
26
Software value
$140K
CTi
The CTI Project’s mission is to provide the core toolchain community with a secure infrastructure and state-of-the-art services required to support the community’s development efforts to be a trusted foundation in a secure supply chain.
Contributors
41
Organizations
1
Metrics and Metadata Working Group
The purpose of the Identifying Security Threats working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
Contributors
34
Organizations
22
Software value
$163K
SIRT
SIRT (Security Incident Response Team) is a Linux Foundation project focused on coordinating vulnerability management and incident response across open source ecosystems, providing security expertise and standardized protocols to address cybersecurity threats effectively.
Contributors
25
Organizations
7
Software value
$131K
Security Metrics
The purpose of this project is to enable the collection of security metrics for open source projects.
Contributors
17
Organizations
1
Package Analysis/Feeds
The mission of the Project is to improve the security of open source software by detecting malicious behavior, informing consumers selecting packages, and providing researchers with data about the ecosystem.
Contributors
12
Organizations
2
OSV Schema
The mission of the Project is to develop a standard interchange format for describing vulnerabilities in open source packages.
Contributors
1
Organizations
1
Fuzz Introspector
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.
This project hasn't been onboarded to LFX Insights.
SBOMit
The mission of SBOMit is to develop a specification and reference implementations for software bill of materials.
This project hasn't been onboarded to LFX Insights.
Security Insights Spec
This specification provides a mechanism for projects to report information about their security in a machine-processable way. It is formatted as a YAML file to make it easy to read and edit by humans.
This project hasn't been onboarded to LFX Insights.