Repositories list

• malicious-packages

  Public
  A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

  Go

  •

  Apache License 2.0

  •9999 forks•517517 stars•2323 issues•1010 pull requests•Updated May 26, 2026May 26, 2026

• tac

  Public
  Technical Advisory Council

  Other

  •8383 forks•144144 stars•3737 issues•1616 pull requests•Updated May 26, 2026May 26, 2026

• oss-crs

  Public
  Cyber Reasoning Systems for Bug-Finding and Patching in Open Source Software

  Python

  •

  MIT License

  •1111 forks•8787 stars•2828 issues•55 pull requests•Updated May 26, 2026May 26, 2026

• cve-bin-tool

  Public
  The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 350 common, vulnerable components (openssl…

  pythonsecurityvulnerability+ 11

  pythonsecurityvulnerabilityvulnerabilitiescvehacktoberfestcvsssecurity-automationsecurity-toolsdevsecops+ 4

  Python

  •

  GNU General Public License v3.0

  •620620 forks•1.7k1.7k stars•146146 issues•5353 pull requests•Updated May 26, 2026May 26, 2026

• scorecard-action

  Public
  Official GitHub Action for OpenSSF Scorecard.

  githubsecuritysupply-chain+ 2

  githubsecuritysupply-chaingithub-actionsopenssf-scorecard

  Go

  •

  Apache License 2.0

  •8585 forks•380380 stars•3030 issues•1818 pull requests•Updated May 26, 2026May 26, 2026

• si-tooling

  Public
  Python

  •

  Apache License 2.0

  •44 forks•99 stars•22 issues•22 pull requests•Updated May 26, 2026May 26, 2026

• fuzz-introspector

  Public
  Fuzz Introspector -- introspect, extend and optimise fuzzers

  testingsecurityfuzzing+ 3

  testingsecurityfuzzingfuzz-testingvulnerability-analysissecurity-research

  Python

  •

  Apache License 2.0

  •8585 forks•455455 stars•109109 issues•1010 pull requests•Updated May 26, 2026May 26, 2026

• allstar

  Public
  GitHub App to set and enforce security policies

  Go

  •

  Apache License 2.0

  •146146 forks•1.4k1.4k stars•5858 issues•22 pull requests•Updated May 25, 2026May 25, 2026

• glossary

  Public
  A reference for common terms when talking about OpenSSF and open source software security.

  JavaScript

  •

  Apache License 2.0

  •66 forks•44 stars•44 issues•33 pull requests•Updated May 25, 2026May 25, 2026

• scorecard

  Public
  OpenSSF Scorecard - Security health metrics for Open Source

  scorecardopenssf-scorecard

  scorecardopenssf-scorecard

  Go

  •

  Apache License 2.0

  •650650 forks•5.5k5.5k stars•368368 issues•3737 pull requests•Updated May 25, 2026May 25, 2026

• pvtr-github-repo-scanner

  Public
  Privateer plugin for scanning the security hygiene of a GitHub repository.

  Go

  •

  Apache License 2.0

  •1414 forks•2323 stars•2424 issues•1212 pull requests•Updated May 25, 2026May 25, 2026

• package-analysis

  Public
  Open Source Package Analysis

  Go

  •

  Apache License 2.0

  •6969 forks•890890 stars•6565 issues•1010 pull requests•Updated May 25, 2026May 25, 2026

• osv-schema

  Public
  Open Source Vulnerability schema.

  Go

  •

  Apache License 2.0

  •115115 forks•252252 stars•5050 issues•66 pull requests•Updated May 25, 2026May 25, 2026

• scorecard-webapp

  Public
  Website and API for OpenSSF Scorecard

  openssf-scorecard

  openssf-scorecard

  Go

  •

  Apache License 2.0

  •3030 forks•2828 stars•3232 issues•3333 pull requests•Updated May 23, 2026May 23, 2026

• secure-sw-dev-fundamentals

  Public
  Secure Software Development Fundamentals courses (from the OpenSSF Best Practices WG)

  CSS

  •

  Creative Commons Attribution 4.0 International

  •5151 forks•203203 stars•3434 issues•44 pull requests•Updated May 22, 2026May 22, 2026

• security-baseline

  Public
  Go

  •

  Apache License 2.0

  •4040 forks•154154 stars•5757 issues•55 pull requests•Updated May 22, 2026May 22, 2026

• wg-best-practices-os-developers

  Public
  The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

  JavaScript

  •

  Apache License 2.0

  •199199 forks•1k1k stars•8282 issues•1515 pull requests•Updated May 20, 2026May 20, 2026

• ossf-landscape

  Public
  Apache License 2.0

  •2828 forks•3131 stars•00 issues•00 pull requests•Updated May 20, 2026May 20, 2026

• sig-basejump

  Public
  Python

  •

  Apache License 2.0

  •00 forks•22 stars•00 issues•66 pull requests•Updated May 19, 2026May 19, 2026

• wg-bear

  Public
  The BEAR (Belonging, Empowerment, Allyship, and Representation) WG, formerly DEI, was formed in December 2023 to enhance representation and cybersecurity workfo…

  Apache License 2.0

  •77 forks•1313 stars•1010 issues•22 pull requests•Updated May 18, 2026May 18, 2026

• model-signing-spec

  Public
  Model Signing Specification

  Python

  •

  Apache License 2.0

  •44 forks•1616 stars•33 issues•33 pull requests•Updated May 15, 2026May 15, 2026

• scorecard-visualizer

  Public
  Tool for visualizing the Open SSF Scorecard Api data in a human friendly way

  openssfopenssf-scorecard

  openssfopenssf-scorecard

  TypeScript

  •

  Apache License 2.0

  •77 forks•1919 stars•11 issue•1515 pull requests•Updated May 14, 2026May 14, 2026

• alpha-omega

  Public
  Our mission is to catalyze sustainable improvements to critical open source software projects and ecosystems.

  securityopensourceopen-source-security

  securityopensourceopen-source-security

  Open Policy Agent

  •

  Apache License 2.0

  •6464 forks•128128 stars•00 issues•00 pull requests•Updated May 12, 2026May 12, 2026

• gpu-hashlib

  Public
  Apache License 2.0

  •11 fork•11 star•00 issues•11 pull request•Updated May 11, 2026May 11, 2026

• scorecard-monitor

  Public
  Simplify OpenSSF Scorecard tracking in your organization with automated markdown and JSON reports, plus optional GitHub issue alerts

  securitysecurity-auditsecurity-tools+ 3

  securitysecurity-auditsecurity-toolsgithub-actionsopen-source-managementopenssf-scorecard

  JavaScript

  •

  Apache License 2.0

  •1515 forks•4848 stars•1414 issues•66 pull requests•Updated May 11, 2026May 11, 2026

• security-insights

  Public
  Machine-readable specification for the attestation of security-relevant data.

  Go

  •

  Other

  •1717 forks•7575 stars•88 issues•22 pull requests•Updated May 11, 2026May 11, 2026

• security-assessments

  Public
  Apache License 2.0

  •77 forks•1818 stars•77 issues•11 pull request•Updated May 8, 2026May 8, 2026

• ai-ml-security

  Public
  Working Group on Artificial Intelligence and Machine Learning (AI/ML) Security

  Apache License 2.0

  •2727 forks•169169 stars•1111 issues•00 pull requests•Updated May 1, 2026May 1, 2026

• .github

  Public
  Github configuration

  77 forks•22 stars•00 issues•11 pull request•Updated Apr 27, 2026Apr 27, 2026

• wg-globalcyberpolicy

  Public
  Global Cyber Policy Working Group

  Apache License 2.0

  •2121 forks•114114 stars•1717 issues•00 pull requests•Updated Apr 21, 2026Apr 21, 2026