Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices.
The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.
The Criticality Score gives criticality score for an open source project.
Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers.
gittuf provides a security layer for Git using some concepts introduced by The Update Framework (TUF).
GUAC gives you directed, actionable insights into the security of your software supply chain.
OpenSSF Scorecard assesses open source projects for security risks through a series of automated checks It was created by OSS developers to help improve the health of critical projects that the community depends on. You can use it to proactively assess and make informed decisions about accepting security risks within…
OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.
Open Source Vulnerability schema (OSV Schema)
The Package Analysis project analyses the capabilities of packages available on open source repositories.
The Package Feeds is a feed parsing for language package manager updates.
Protobom is a protocol buffers representation of SBOM data able to ingest documents in modern SPDX and CycloneDX versions without loss.
Repository Service for TUF (RSTUF) is a collection of components that provide services for securing content downloads from tampering between the repository and the client (for example, by an on-path attacker).
The S2C2F SIG was formed to further develop and continuously improve the S2C2F guide
The SBOMit specification is a SBOM format independent method for attesting components with additional verification information.
This specification provides a mechanism for projects to report information about their security in a machine-processable way.
The purpose of Security Metrics is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.
sigstore is a standard for signing, verifying, and protecting software.
SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.