{"id":13467123,"url":"https://github.com/build-trust/ockam","last_synced_at":"2025-12-11T23:45:43.039Z","repository":{"id":36955466,"uuid":"159866229","full_name":"build-trust/ockam","owner":"build-trust","description":"Orchestrate end-to-end encryption, cryptographic identities, mutual authentication, and authorization policies between distributed applications – at massive scale.","archived":false,"fork":false,"pushed_at":"2025-11-03T18:17:20.000Z","size":91304,"stargazers_count":4579,"open_issues_count":94,"forks_count":562,"subscribers_count":52,"default_branch":"develop","last_synced_at":"2025-12-05T21:31:36.815Z","etag":null,"topics":["authentication","authorization","credentials","distributed-systems","e2ee","encrypted-connections","encrypted-messages","encryption","end-to-end-encryption","identity","kafka","key-management","messaging","rust","security","snowflake","trust","zero-trust"],"latest_commit_sha":null,"homepage":"https://docs.ockam.io/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/build-trust.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"build-trust"}},"created_at":"2018-11-30T18:57:01.000Z","updated_at":"2025-12-03T08:57:16.000Z","dependencies_parsed_at":"2023-09-23T08:49:40.749Z","dependency_job_id":"223f9e03-5563-489b-9df6-29fe020cf1fd","html_url":"https://github.com/build-trust/ockam","commit_stats":{"total_commits":8897,"total_committers":351,"mean_commits":25.34757834757835,"dds":0.8224120490052826,"last_synced_commit":"8b6d1cddd0eba009d2948ffd8266bbffd314bc8f"},"previous_names":["ockam-network/ockam"],"tags_count":1063,"template":false,"template_full_name":null,"purl":"pkg:github/build-trust/ockam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/build-trust%2Fockam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/build-trust%2Fockam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/build-trust%2Fockam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/build-trust%2Fockam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/build-trust","download_url":"https://codeload.github.com/build-trust/ockam/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/build-trust%2Fockam/sbom","scorecard":{"id":701472,"data":{"date":"2025-08-18T01:32:21Z","repo":{"name":"github.com/build-trust/ockam","commit":"7d4cb01a13b89c0ddb4050bd541c58b020135da1"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":7.9,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Code-Review","score":6,"reason":"Found 11/17 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-bump-pull-request.yml:46","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-draft-binaries.yml:23","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-draft-binaries.yml:178","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-draft-binaries.yml:291","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-draft-binaries.yml:405","Info: jobLevel 'actions' permission set to 'read': .github/workflows/release-ockam-package.yml:38","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-ockam-package.yml:39","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:20","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/all.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/distroless.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs_checks.yml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/elixir-ignored.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/elixir.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/make.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/ockam-artifact.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/ockam-healthcheck.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/osv-scanner.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/python-ignored.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/python.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-bump-pull-request.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-draft-binaries.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-ockam-package.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-publish-crates.yml:22","Info: topLevel 'contents' permission set to 'read': .github/workflows/rust-ignored.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/rust.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/shell-ignored.yml:4","Info: topLevel 'contents' permission set to 'read': .github/workflows/shell.yml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/typos.yml:5"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":-1,"reason":"internal error: error during json parsing: error during json.Unmarshal: invalid character '\u003c' looking for beginning of value","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/distroless.yml:26"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Your token has not been granted the required scopes to execute this query. The 'rulesets' field requires one of the following scopes: ['public_repo'], but your token has only been granted the: [''] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/build-trust/.github/SECURITY.md:1","Info: Found linked content: github.com/build-trust/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/build-trust/.github/SECURITY.md:1","Info: Found text in security policy: github.com/build-trust/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":5,"reason":"dependency not pinned by hash detected -- score normalized to 5","details":["Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/python/tests/bats/examples/local.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/python/tests/bats/examples_orchestrator/local.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/python/tests/bats/examples_orchestrator/main.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/examples/ai.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/examples/apis.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/examples/coderepos.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/examples/databases.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/examples/kafka.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/authority.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/command_reference.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/credentials.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/identity.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/jq.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/kafka.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/message.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/nodes.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/policies.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/portals.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/portals_lifecycle.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/projects.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/relay.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/rendezvous_server.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/reset.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/secure_channel.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/spaces.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/tcp.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/use_cases.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/local/vault.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator/message.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator/portals.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator/projects.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator/relay.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator/spaces.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/authority.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/back_compatibility.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/message.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/node_control_api.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/nodes.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/policies.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/portals.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/relay.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enroll/use_cases.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/command_reference.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/identity.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/message.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/relay.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/orchestrator_enrolled/trust.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/serial/projects.bats:0","Info: Possibly incomplete results: error parsing shell code: \"}\" can only be used to close a block: implementations/rust/ockam/ockam_command/tests/bats/serial/use_cases.bats:0","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rust.yml:344: update your workflow using https://app.stepsecurity.io/secureworkflow/build-trust/ockam/rust.yml/develop?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/rust.yml:351: update your workflow using https://app.stepsecurity.io/secureworkflow/build-trust/ockam/rust.yml/develop?enable=pin","Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:1: pin your Docker image by updating mcr.microsoft.com/vscode/devcontainers/base:0.202.7-bullseye to mcr.microsoft.com/vscode/devcontainers/base:0.202.7-bullseye@sha256:269cbbb2056243e2a88e21501d9a8166d1825d42abf6b67846b49b1856f4b133","Warn: containerImage not pinned by hash: examples/000/images/main/Dockerfile:1","Warn: containerImage not pinned by hash: examples/000/images/main/Dockerfile:5: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/001/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/002/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/003/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/004/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/005/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/006/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/007/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/008/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:a4cf960e2 to ghcr.io/build-trust/ockam-python:a4cf960e2@sha256:eeec58c80e28724d180f613fa6248fa8052d28e3f258cf81918ba3f650e57933","Warn: containerImage not pinned by hash: examples/009/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/010/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/010/images/runner/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/011/images/main/Dockerfile:1","Warn: containerImage not pinned by hash: examples/011/images/main/Dockerfile:7: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/011/images/runner/Dockerfile:1","Warn: containerImage not pinned by hash: examples/011/images/runner/Dockerfile:7: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/012/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: examples/014/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:b0f73e7d1 to ghcr.io/build-trust/ockam-python:b0f73e7d1@sha256:45292e94279a02c8959a67f8eef22979e70c0feddfeede8a3d51171cbec2d7ec","Warn: containerImage not pinned by hash: examples/015/images/main/Dockerfile:1: pin your Docker image by updating ghcr.io/build-trust/ockam-python:latest to ghcr.io/build-trust/ockam-python:latest@sha256:59bfb82fc715262ff21eeea962d3c857edcced2ca2c031c7007bcbcf6056fa6b","Warn: containerImage not pinned by hash: implementations/python/Dockerfile:1","Warn: containerImage not pinned by hash: implementations/python/Dockerfile:3: pin your Docker image by updating cgr.dev/chainguard/python:latest to cgr.dev/chainguard/python:latest@sha256:d409289a0684e02b95c10b586048c465f4032bc31b4055f59f38a73f914e7537","Warn: containerImage not pinned by hash: implementations/python/Dockerfile.dev:1","Warn: containerImage not pinned by hash: tools/docker/rendezvous/Dockerfile:1","Warn: containerImage not pinned by hash: tools/docker/rendezvous/Dockerfile:9: pin your Docker image by updating cgr.dev/chainguard/wolfi-base to cgr.dev/chainguard/wolfi-base@sha256:1fd981aa0bcefd8da87ce55a9ae907862fcb6835c658fdb284867117fb0268ce","Warn: containerImage not pinned by hash: tools/templates/ockam.dockerfile:25: pin your Docker image by updating cgr.dev/chainguard/glibc-dynamic:latest to cgr.dev/chainguard/glibc-dynamic:latest@sha256:f280bd47fd58f5d00246a2c4412350540e8915c82127949471fff1172ebd302c","Warn: downloadThenRun not pinned by hash: .devcontainer/Dockerfile:47-49","Warn: pipCommand not pinned by hash: examples/000/images/main/Dockerfile:3","Warn: pipCommand not pinned by hash: examples/011/images/main/Dockerfile:5","Warn: pipCommand not pinned by hash: examples/011/images/runner/Dockerfile:5","Warn: npmCommand not pinned by hash: tools/docker/builder/Dockerfile:26-182","Info:  36 out of  38 GitHub-owned GitHubAction dependencies pinned","Info:  24 out of  24 third-party GitHubAction dependencies pinned","Info:  11 out of  38 containerImage dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   1 out of   4 pipCommand dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"CI-Tests","score":10,"reason":"17 out of 17 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: RUSTSEC-2023-0089","Warn: Project is vulnerable to: RUSTSEC-2024-0436","Warn: Project is vulnerable to: RUSTSEC-2023-0071","Warn: Project is vulnerable to: RUSTSEC-2024-0320"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}},{"name":"Contributors","score":10,"reason":"project has 21 contributing companies or organizations","details":["Info: found contributions from: 744e756d0a, NixOS, Vergly, apache, atnos-org, build-trust, dashwave, eirproject, fortune electric, greatscottgadgets, holm security, https://www.caylent.com, imgui-rs, irdest, lift, microsoft, ockam, rusqlite, rust-lang, veeam, webrtc-rs"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-22T05:18:36.001Z","repository_id":36955466,"created_at":"2025-08-22T05:18:36.001Z","updated_at":"2025-08-22T05:18:36.001Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27672364,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-11T02:00:11.302Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","credentials","distributed-systems","e2ee","encrypted-connections","encrypted-messages","encryption","end-to-end-encryption","identity","kafka","key-management","messaging","rust","security","snowflake","trust","zero-trust"],"created_at":"2024-07-31T15:00:53.315Z","updated_at":"2025-12-11T23:45:43.001Z","avatar_url":"https://github.com/build-trust.png","language":"Rust","funding_links":["https://github.com/sponsors/build-trust"],"categories":["Libraries","Rust","Repos","security","hacktoberfest","distributed-systems"],"sub_categories":["Network programming","Distributed systems"],"readme":"\n\u003ca href=\"https://discord.gg/RAbjRr3kds\"\u003e\u003cimg alt=\"Discord\" src=\"https://img.shields.io/discord/1074960884490833952?label=Discord\u0026logo=discord\u0026style=flat\u0026logoColor=white\"\u003e\u003c/a\u003e\n\n# Trust for Data-in-Motion\n\nOckam is a suite of open source programming libraries and command line tools to\norchestrate end-to-end encryption, mutual authentication, key management, credential\nmanagement, and authorization policy enforcement – at massive scale.\n\nModern applications are distributed and have an unwieldy number of\ninterconnections that must trustfully exchange data. To trust data-in-motion,\napplications need end-to-end guarantees of data authenticity, integrity, and\nconfidentiality. To be private and secure by-design, applications must have\ngranular control over every trust and access decision. Ockam allows you to add\nthese controls and guarantees to any application.\n\n## Quick Start\n\nLet's build a solution for a very common secure communication topology that\napplies to many real world use cases. We'll build our first example using\n[Ockam Command](https://docs.ockam.io/reference/command), but it is just as easy\nto build end-to-end trustful communication using\n[Ockam Programming Libraries](https://docs.ockam.io/reference/libraries/rust).\n\nAn application service and an application client running on two private networks\nwish to securely communicate with each other without exposing ports on the\nInternet. In a few simple commands, we’ll make them safely talk to each other\nthrough an End-to-End Encrypted Cloud Relay.\n\n## Install Ockam Command\n\nIf you use Homebrew, you can install Ockam using brew.\n\n```bash\n# Tap and install Ockam Command\nbrew install build-trust/ockam/ockam\n```\n\nThis will download a precompiled binary and add it to your path.\nIf you don’t use Homebrew, you can also install on Linux and MacOS systems using curl.\n\n```bash\ncurl --proto '=https' --tlsv1.2 -sSfL https://install.command.ockam.io | bash\n```\n\n### End-to-end encrypted and mutually authenticated communication\n\nNext, step through the following commands to setup secure and private\ncommunication between our application service and an application client.\n\n```bash\n# Check that everything was installed correctly by enrolling with Ockam Orchestrator.\n#\n# This will create a Space and Project for you in Ockam Orchestrator and provision an\n# End-to-End Encrypted Cloud Relay service in your `default` project at `/project/default`.\nockam enroll\n\n# -- APPLICATION SERVICE --\n\n# Start an application service, listening on a local IP and port, that clients would access\n# through the cloud encrypted relay. We'll use a simple HTTP server for this first example\n# but this could be any other application service.\npython3 -m http.server --bind 127.0.0.1 6000\n\n# In a new terminal window, setup a tcp-outlet that makes a TCP service available at the given\n# address `6000`. We can use this to send raw TCP traffic to the HTTP server on port `6000`.\n# Finally create a relay in your default Orchestrator project. Relays make it possible to\n# establish end-to-end protocols with services operating in remote private networks, without\n# requiring a remote service to expose listening ports to an outside hostile network like the\n# Internet.\nockam tcp-outlet create --to 6000\nockam relay create\n\n# -- APPLICATION CLIENT --\n\n# Setup a local tcp-inlet to allow raw TCP traffic to be received on port `7000` before\n# it is forwarded. A TCP inlet is a way of defining where a node should be listening for\n# connections, and where it should forward that traffic to.\nockam tcp-inlet create --from 7000\n\n# Access the application service, that may be in a remote private network though\n# the end-to-end encrypted secure channel, via your private and encrypted cloud relay.\ncurl --head 127.0.0.1:7000\n```\n\n### Private and secure by design\n\nIn the example above, we’ve created two nodes and established an end-to-end\nsecure channel between them through an encrypted cloud relay. For the sake of\nsimplicity, we ran both ends on a single machine, but they could also be run on\ncompletely separate machines with the same result: an end-to-end encrypted and\nmutually authenticated secure channel.\n\nDistributed applications that are connected in this way can communicate without\nthe risk of spoofing, tampering, or eavesdropping attacks, irrespective of transport\nprotocols, communication topologies, and network configuration. As application\ndata flows across data centers, through queues and caches, via gateways and\nbrokers - these intermediaries, like the cloud relay in the above example, can\nfacilitate communication but cannot eavesdrop on, or tamper with data.\n\nYou can establish secure channels across networks and clouds over multi-hop,\nmulti-protocol routes to build private and secure by design distributed applications\nthat have a small vulnerability surface and full control over data authenticity,\nintegrity, and confidentiality.\n\n### Trust for data-in-motion\n\nBehind the scenes, the above commands generated unique cryptographically\nprovable identities and saved corresponding keys in a vault. Your orchestrator\nproject was provisioned with a managed credential authority, and every node was\nsetup to anchor trust in credentials issued by this authority. Identities were\nissued project membership credentials, and these cryptographically verifiable\ncredentials were then combined with attribute based access control policies to\nsetup a mutually authenticated and authorized end-to-end secure channel.\n\nYour applications can make granular access control decisions at every request\nbecause they can be certain about the source and integrity of all data and instructions.\nYou place zero implicit trust in network boundaries and intermediaries to build\napplications that have end-to-end application layer trust for all data in motion.\n\n### Powerful protocols, made simple\n\nUnderlying all of this is a variety of cryptographic and messaging protocols.\nWe’ve made these protocols safe and easy to use in any application.\n\nNo more having to think about creating unique cryptographic keys and issuing\ncredentials to all application entities. No more designing ways to safely store\nsecrets in hardware and securely distribute roots of trust. Ockam’s integrated\napproach takes away this complexity and gives you simple tools for:\n\n\u003cins\u003eEnd-to-end data authenticity, integrity, and privacy in any communication topology\u003c/ins\u003e\n\n* Create end-to-end encrypted, authenticated secure channels over any transport topology.\n* Create secure channels over multi-hop, multi-protocol routes - TCP, UDP, WebSockets, BLE, etc.\n* Provision encrypted relays for applications distributed across many edge and cloud private networks.\n* Make legacy protocols secure by tunneling them through mutually authenticated and encrypted portals.\n* Bring end-to-end encryption to enterprise messaging, pub/sub and event streams - Kafka, RabbitMQ etc.\n\n\u003cins\u003eIdentity-based, policy driven, application layer trust – granular authentication and authorization\u003c/ins\u003e\n\n* Generate cryptographically provable unique identities.\n* Store private keys in safe vaults - hardware secure enclaves and cloud key management systems.\n* Operate scalable credential authorities to issue lightweight, short-lived, attribute-based credentials.\n* Onboard fleets of self-sovereign application identities using secure enrollment protocols.\n* Rotate and revoke keys and credentials – at scale, across fleets.\n* Define and enforce project-wide attribute based access control policies - ABAC, RBAC or ACLs.\n* Integrate with enterprise identity providers and policy providers for seamless employee access.\n\n## Deep Dives\n\nNext let's dive into a step-by-step guide on our command line and programming libraries.\n\n* [__Ockam Command__](https://docs.ockam.io/reference/command)\nCommand line tools to build and orchestrate highly secure distributed applications.\nOrchestrate nodes, vaults, identities, credentials, secure channels, relays, portals and more.\n[👉](https://docs.ockam.io/reference/command)\n\n* [__Ockam Programming Libraries__](https://docs.ockam.io/reference/libraries)\nRust and Elixir libraries to build secure by design applications for any environment\n– from highly scalable cloud infrastructure to tiny battery operated microcontroller devices.\n[👉](https://docs.ockam.io/reference/libraries)\n\n* [__Ockam Protocols__](https://docs.ockam.io/reference/protocols)\nCryptographic and Messaging Protocols that make up the core of Ockam and provide the foundation for end-to-end application layer trust in data.\n[👉](https://docs.ockam.io/reference/libraries)\n\n## License\n\nThe code in this repository is licensed under the terms of the [Apache License 2.0](LICENSE).\n\n## Sponsorship Matching Program\n\nOckam sponsors open source builders who are making it possible for software to be more private and secure-by-design. This includes builders of tools and libraries that Ockam depends on. Under our matching program, if you sponsor the Ockam Open Source project, we will match your contribution and pass it along to other open source developers. For example: If you sponsor Ockam for $10 a month, we will match your $10, and will send $20 back out into the community. Learn more about our [sponsorship matching program](https://github.com/sponsors/build-trust) [👉](https://github.com/sponsors/build-trust)\n\n## Learn more about Ockam\n\n- [ockam.io](https://www.ockam.io/)\n- [Documentation](https://docs.ockam.io/)\n- [Contribute to Ockam](https://github.com/build-trust/.github/blob/main/CONTRIBUTING.md#contributing-to-ockam-on-github)\n- [Build Trust community Discord server](https://discord.gg/RAbjRr3kds)\n- [Ockam Orchestrator on AWS Marketplace](https://aws.amazon.com/marketplace/pp/prodview-wsd42efzcpsxk)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuild-trust%2Fockam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuild-trust%2Fockam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuild-trust%2Fockam/lists"}