Open Source Security Foundation (OpenSSF) Best Practices Badge
Question: What is the current OpenSSF Best Practices status for the project?
Overview
The OpenSSF Best Practices Badge, from the Linux Foundation, allows open source projects to voluntarily self-certify that they follow open source best practices. Projects can use the OpenSSF Best Practices Badge web application to explain how they adhere to each best practice. A project receives a passing badge if it meets all the required criteria.
The badge focuses on cybersecurity in open source software, helping to ensure that projects follow best practices for producing secure, high-quality software.
The OpenSSF Best Practices Badge:
- Indicates a project's compliance with "open source project best practices" as defined by the Linux Foundation’s core infrastructure initiative.
- Encourages open source projects to produce secure software by adhering to established best practices.
- Enables consumers to assess which open source projects are more likely to produce secure, reliable software based on their compliance with these best practices.
Want to Know More?
Data Collection Strategies
From the OpenSSF Best Practices Badging Page, a project’s OpenSSF Best Practices status can be assessed when:
- Projects receive a passing badge if they meet all required criteria.
- The status of each criterion, for a given project, can be 'Met', 'Unmet', 'N/A' or 'unknown'.
- Each criterion is in one of four categories: 'MUST', 'SHOULD', 'SUGGESTED', or 'FUTURE'.
- To obtain a badge, all the MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR the rationale for not implementing the criterion must be documented, and all SUGGESTED criteria have to be rated as met or unmet.
- Advanced badge levels of silver and gold are available if the project satisfies the additional criterion.
For further information, refer to OpenSSF’s API documentation
Filters
The metric can be filtered by:
- Badge level (Passing, Silver, Gold)
- Project type or focus area (e.g., cybersecurity projects)
- Criteria status (Met, Unmet, N/A, Unknown)
- Compliance trends over time
Visualizations
Figure 1: Example of OpenSSF Best Practices Badge (OpenSSF)
References
Contributors
- Elizabeth Barron
- Sean Goggins
- Matt Germonprez
- Daniel Izquierdo
- Dawn Foster
- Beth Hancock
- Kevin Lumbard
- Vinod Ahuja
- Yigakpoa L. Samuel (Ikpae)
Additional Information
- To edit this metric please submit a Change Request here: https://github.com/chaoss/wg-risk/blob/main/focus-areas/security/openssf-best-practices.md
- To reference this metric in software or publications please use this stable URL: https://chaoss.community/?p=3939
The usage and dissemination of health metrics may lead to privacy violations. Organizations may be exposed to risks. These risks may flow from compliance with the GDPR in the EU, with state law in the US, or with other laws. There may also be contractual risks flowing from terms of service for data providers such as GitHub and GitLab. The usage of metrics must be examined for risk and potential data ethics problems. Please see CHAOSS Data Ethics document for additional guidance.