Repositories list

• malicious-packages

  Public

  ossf/malicious-packages’s past year of commit activity
  A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

  Go

  •

  Apache License 2.0

  •8686 forks•494494 stars•2121 issues•55 pull requests•Updated Apr 22, 2026Apr 22, 2026

• oss-crs

  Public

  ossf/oss-crs’s past year of commit activity
  oss-crs

  Python

  •

  MIT License

  •66 forks•5555 stars•2626 issues•55 pull requests•Updated Apr 22, 2026Apr 22, 2026

• allstar

  Public

  ossf/allstar’s past year of commit activity
  GitHub App to set and enforce security policies

  Go

  •

  Apache License 2.0

  •145145 forks•1.4k1.4k stars•5858 issues•00 pull requests•Updated Apr 22, 2026Apr 22, 2026

• ossf-landscape

  Public

  ossf/ossf-landscape’s past year of commit activity
  Apache License 2.0

  •2828 forks•3131 stars•00 issues•66 pull requests•Updated Apr 22, 2026Apr 22, 2026

• cve-bin-tool

  Public

  ossf/cve-bin-tool’s past year of commit activity
  The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl…

  pythonsecurityvulnerability+ 11

  pythonsecurityvulnerabilityvulnerabilitiescvehacktoberfestcvsssecurity-automationsecurity-toolsdevsecops+ 4

  Python

  •

  GNU General Public License v3.0

  •619619 forks•1.7k1.7k stars•147147 issues•5757 pull requests•Updated Apr 22, 2026Apr 22, 2026

• pvtr-github-repo-scanner

  Public

  ossf/pvtr-github-repo-scanner’s past year of commit activity
  Privateer plugin for scanning the security hygiene of a GitHub repository.

  Go

  •

  Apache License 2.0

  •1212 forks•2323 stars•2121 issues•44 pull requests•Updated Apr 22, 2026Apr 22, 2026

• fuzz-introspector

  Public

  ossf/fuzz-introspector’s past year of commit activity
  Fuzz Introspector -- introspect, extend and optimise fuzzers

  testingsecurityfuzzing+ 3

  testingsecurityfuzzingfuzz-testingvulnerability-analysissecurity-research

  Python

  •

  Apache License 2.0

  •8484 forks•453453 stars•109109 issues•99 pull requests•Updated Apr 21, 2026Apr 21, 2026

• wg-globalcyberpolicy

  Public

  ossf/wg-globalcyberpolicy’s past year of commit activity
  Global Cyber Policy Working Group

  Apache License 2.0

  •2020 forks•112112 stars•1515 issues•00 pull requests•Updated Apr 21, 2026Apr 21, 2026

• si-tooling

  Public

  ossf/si-tooling’s past year of commit activity
  Python

  •

  Apache License 2.0

  •44 forks•88 stars•22 issues•00 pull requests•Updated Apr 21, 2026Apr 21, 2026

• scorecard-webapp

  Public

  ossf/scorecard-webapp’s past year of commit activity
  Website and API for OpenSSF Scorecard

  openssf-scorecard

  openssf-scorecard

  Go

  •

  Apache License 2.0

  •3030 forks•2828 stars•3232 issues•3030 pull requests•Updated Apr 20, 2026Apr 20, 2026

• oss-vulnerability-guide

  Public

  ossf/oss-vulnerability-guide’s past year of commit activity
  A guide on coordinated vulnerability disclosure for open source projects. Includes templates for security policies (security.md) and disclosure notifications.

  Creative Commons Attribution 4.0 International

  •4343 forks•137137 stars•55 issues•11 pull request•Updated Apr 20, 2026Apr 20, 2026

• wg-best-practices-os-developers

  Public
  The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

  JavaScript

  •

  Apache License 2.0

  •193193 forks•1k1k stars•8282 issues•1717 pull requests•Updated Apr 20, 2026Apr 20, 2026

• scorecard

  Public

  ossf/scorecard’s past year of commit activity
  OpenSSF Scorecard - Security health metrics for Open Source

  scorecardopenssf-scorecard

  scorecardopenssf-scorecard

  Go

  •

  Apache License 2.0

  •641641 forks•5.4k5.4k stars•368368 issues•3636 pull requests•Updated Apr 20, 2026Apr 20, 2026

• security-baseline

  Public

  ossf/security-baseline’s past year of commit activity
  Go

  •

  Apache License 2.0

  •3939 forks•152152 stars•5656 issues•22 pull requests•Updated Apr 20, 2026Apr 20, 2026

• scorecard-action

  Public
  Official GitHub Action for OpenSSF Scorecard.

  githubsecuritysupply-chain+ 2

  githubsecuritysupply-chaingithub-actionsopenssf-scorecard

  Go

  •

  Apache License 2.0

  •8484 forks•371371 stars•3030 issues•1616 pull requests•Updated Apr 17, 2026Apr 17, 2026

• security-insights

  Public

  ossf/security-insights’s past year of commit activity
  Machine-readable specification for the attestation of security-relevant data.

  Go

  •

  Other

  •1616 forks•7474 stars•66 issues•22 pull requests•Updated Apr 17, 2026Apr 17, 2026

• osv-schema

  Public
  Open Source Vulnerability schema.

  Go

  •

  Apache License 2.0

  •116116 forks•245245 stars•4949 issues•1212 pull requests•Updated Apr 14, 2026Apr 14, 2026

• glossary

  Public
  A reference for common terms when talking about OpenSSF and open source software security.

  JavaScript

  •

  Apache License 2.0

  •66 forks•44 stars•44 issues•11 pull request•Updated Apr 14, 2026Apr 14, 2026

• tac

  Public
  Technical Advisory Council

  Other

  •7777 forks•141141 stars•4040 issues•2121 pull requests•Updated Apr 14, 2026Apr 14, 2026

• alpha-omega

  Public

  ossf/alpha-omega’s past year of commit activity
  Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.

  securityopensourceopen-source-security

  securityopensourceopen-source-security

  Open Policy Agent

  •

  Apache License 2.0

  •6363 forks•125125 stars•00 issues•11 pull request•Updated Apr 10, 2026Apr 10, 2026

• secure-sw-dev-fundamentals

  Public
  Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)

  CSS

  •

  Creative Commons Attribution 4.0 International

  •5151 forks•202202 stars•3434 issues•33 pull requests•Updated Apr 10, 2026Apr 10, 2026

• scorecard-monitor

  Public
  Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts

  securitysecurity-auditsecurity-tools+ 3

  securitysecurity-auditsecurity-toolsgithub-actionsopen-source-managementopenssf-scorecard

  JavaScript

  •

  Apache License 2.0

  •1414 forks•4848 stars•1313 issues•1111 pull requests•Updated Apr 10, 2026Apr 10, 2026

• wg-securing-software-repos

  Public
  OpenSSF Working Group on Securing Software Repositories

  Other

  •3030 forks•127127 stars•1111 issues•44 pull requests•Updated Apr 6, 2026Apr 6, 2026

• wg-orbit

  Public
  ORBIT: Open Resources for Baselines, Interoperability, and Tooling

  Apache License 2.0

  •44 forks•2424 stars•77 issues•11 pull request•Updated Mar 19, 2026Mar 19, 2026

• artwork

  Public
  OpenSSF Artwork

  Apache License 2.0

  •1010 forks•88 stars•00 issues•00 pull requests•Updated Mar 17, 2026Mar 17, 2026

• toolbelt

  Public

  ossf/toolbelt’s past year of commit activity
  Apache License 2.0

  •66 forks•2626 stars•00 issues•00 pull requests•Updated Mar 17, 2026Mar 17, 2026

• orbit-launchpad

  Public
  Apache License 2.0

  •11 fork•22 stars•22 issues•11 pull request•Updated Mar 8, 2026Mar 8, 2026

• SIRT

  Public
  The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Wor…

  Apache License 2.0

  •66 forks•1010 stars•22 issues•11 pull request•Updated Mar 1, 2026Mar 1, 2026

• sbom-everywhere

  Public

  ossf/sbom-everywhere’s past year of commit activity
  Improve Software Bill of Materials (SBOM) tooling and training to encourage adoption

  Vue

  •

  Apache License 2.0

  •4141 forks•113113 stars•2323 issues•1414 pull requests•Updated Feb 28, 2026Feb 28, 2026

• package-analysis

  Public

  ossf/package-analysis’s past year of commit activity
  Open Source Package Analysis

  Go

  •

  Apache License 2.0

  •6464 forks•876876 stars•6666 issues•1717 pull requests•Updated Feb 27, 2026Feb 27, 2026