{"id":49924809,"url":"https://github.com/kirankotari/ossguard","last_synced_at":"2026-05-16T22:41:44.613Z","repository":{"id":356770483,"uuid":"1233957207","full_name":"kirankotari/ossguard","owner":"kirankotari","description":"One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.","archived":false,"fork":false,"pushed_at":"2026-05-09T18:17:44.000Z","size":52,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-09T18:20:59.259Z","etag":null,"topics":["cli","openssf","ossguard","sbom","scorecard","security","slsa","supply-chain"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kirankotari.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-09T15:06:44.000Z","updated_at":"2026-05-09T18:17:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kirankotari/ossguard","commit_stats":null,"previous_names":["kirankotari/ossguard"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/kirankotari/ossguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kirankotari%2Fossguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kirankotari%2Fossguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kirankotari%2Fossguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kirankotari%2Fossguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kirankotari","download_url":"https://codeload.github.com/kirankotari/ossguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kirankotari%2Fossguard/sbom","scorecard":{"id":1247184,"data":{"date":"2026-05-09T18:17:59Z","repo":{"name":"github.com/kirankotari/ossguard","commit":"10a202141e3dbd7e6796f5244e27e8467f8a77e8"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":4.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 4 contributing companies or organizations","details":["Info: pyenv-win contributor org/company found, network-tools contributor org/company found, pydevtools contributor org/company found, cisco systems contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":0,"reason":"no update tool detected","details":["Warn: no dependency update tool configurations found"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/docs-ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-ci.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/docs-ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs-ci.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/docs-ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs-ci.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/docs-ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/kirankotari/ossguard/scorecard.yml/main?enable=pin","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:163","Info: topLevel permissions set to 'read-all': .github/workflows/docs-ci.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/release.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:9"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-05-09T18:35:12.375Z","repository_id":356770483,"created_at":"2026-05-09T18:35:12.375Z","updated_at":"2026-05-09T18:35:12.375Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33121697,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-16T18:38:32.183Z","status":"ssl_error","status_checked_at":"2026-05-16T18:38:29.903Z","response_time":115,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","openssf","ossguard","sbom","scorecard","security","slsa","supply-chain"],"created_at":"2026-05-16T22:41:42.584Z","updated_at":"2026-05-16T22:41:44.605Z","avatar_url":"https://github.com/kirankotari.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/ossguard.png\" width=\"140\" height=\"140\" alt=\"OSSGuard\"\u003e\u003cbr\u003e\n  \u003cstrong\u003eOSSGuard\u003c/strong\u003e\u003cbr\u003e\n  \u003cem\u003eOne CLI to guard any OSS project with OpenSSF security best practices\u003c/em\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://pypi.org/project/ossguard/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/ossguard?cacheSeconds=300\" alt=\"PyPI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.npmjs.com/package/ossguard\"\u003e\u003cimg src=\"https://img.shields.io/npm/v/ossguard\" alt=\"npm\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pkg.go.dev/github.com/kirankotari/ossguard-go\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/kirankotari/ossguard-go?label=go\" alt=\"Go\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache_2.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nOSSGuard scans any project and tells you exactly what [OpenSSF](https://openssf.org/) security components are missing — then fixes them. It works with **Python, JavaScript, Go, Rust, Java, C/C++**, and more.\n\n\u003e OSSGuard is **not** a replacement for any OpenSSF project. It is a **unifier** that makes it trivially easy to adopt the tools and practices that OpenSSF working groups have built.\n\n## Table of Contents\n\n- [Quick Start](#quick-start)\n- [Installation](#installation)\n- [Commands](#commands)\n  - [Core](#core)\n  - [Security Analysis](#security-analysis)\n  - [Dependency Management](#dependency-management)\n  - [Compliance \u0026 Generation](#compliance--generation)\n- [Real-World Results](#real-world-results)\n- [JSON Output for CI](#json-output-for-ci)\n- [GitHub Action](#github-action)\n- [Implementations](#implementations)\n- [Documentation](#documentation)\n- [How OSSGuard Relates to OpenSSF](#how-ossguard-relates-to-openssf)\n- [Contributing](#contributing)\n- [License](#license)\n\n## Quick Start\n\n```bash\n# Install (pick one)\npip install ossguard                      # Python 3.9+\nbrew install kirankotari/tap/ossguard     # macOS / Linux\nnpx ossguard                              # Node.js (zero install)\n\n# Scan any project\nossguard scan .\n\n# Full security audit\nossguard audit .\n\n# Bootstrap all OpenSSF configs\nossguard init .\n```\n\nSee the [Getting Started](docs/getting-started.md) guide for a full walkthrough.\n\n## Installation\n\n| Method | Command | Docs |\n|--------|---------|------|\n| **pip** | `pip install ossguard` | [details](docs/installation.md#pip) |\n| **Homebrew** | `brew install kirankotari/tap/ossguard` | [details](docs/installation.md#homebrew) |\n| **npm / npx** | `npx ossguard` | [details](docs/installation.md#npm--npx) |\n| **Go** | `go install github.com/kirankotari/ossguard-go/cmd/ossguard@latest` | [details](docs/installation.md#go) |\n| **Binary** | Download from [releases](https://github.com/kirankotari/ossguard-go/releases) | [details](docs/installation.md#binary-download) |\n| **Docker** | `docker run ghcr.io/kirankotari/ossguard-go:0.1.3` | [details](docs/installation.md#docker) |\n\nSee [docs/installation.md](docs/installation.md) for full instructions, shell completions, and verification steps.\n\n## Commands\n\nOSSGuard ships **27 commands** grouped into four categories. Every command accepts a project path as a positional argument and supports `--json` for machine-readable output.\n\n### Core\n\n| Command | Description |\n|---------|-------------|\n| [`init`](docs/commands/core.md#init) | Bootstrap SECURITY.md, Scorecard, Dependabot, CodeQL, SBOM, Sigstore configs |\n| [`scan`](docs/commands/core.md#scan) | Read-only security posture check |\n| [`audit`](docs/commands/core.md#audit) | Comprehensive security audit (config + deps + reachability) |\n| [`version`](docs/commands/core.md#version) | Show version |\n\n```\n$ ossguard scan .\nProject: requests\nLanguage: python\n  ✓ SECURITY.md\n  ✗ Scorecard\n  ✓ Dependabot\n  ✓ CodeQL\n  ✗ SBOM workflow\n  ✗ Sigstore\n```\n\u003e *Real output from [psf/requests](https://github.com/psf/requests)*\n\n```\n$ ossguard audit .\nAudit: transformers — Grade: C (1/6 config checks)\n  ⚠ Missing Scorecard workflow\n  ⚠ Missing Dependabot\n  ⚠ Missing CodeQL\n  ⚠ Missing SBOM workflow\n  ⚠ Missing Sigstore\n  → Run `ossguard init` to fix\n```\n\u003e *Real output from [huggingface/transformers](https://github.com/huggingface/transformers)*\n\n### Security Analysis\n\n| Command | Description |\n|---------|-------------|\n| [`secrets`](docs/commands/security.md#secrets) | Scan for leaked credentials (24 detection rules) |\n| [`baseline`](docs/commands/security.md#baseline) | OSPS Security Baseline compliance (34 controls, Levels 1-3) |\n| [`slsa`](docs/commands/security.md#slsa) | SLSA Build Level assessment (Levels 1-4, 12 requirements) |\n| [`badge`](docs/commands/security.md#badge) | OpenSSF Best Practices Badge readiness |\n| [`maturity`](docs/commands/security.md#maturity) | S2C2F supply chain maturity (22 practices, Levels 1-4) |\n| [`container`](docs/commands/security.md#container) | Dockerfile security linting (12 rules) |\n| [`fuzz`](docs/commands/security.md#fuzz) | Fuzzing readiness check + starter harness generation |\n\n```\n$ ossguard secrets .\nSecrets scan: 123 files, 13 findings\n  src/requests/adapters.py:284 [medium] generic-secret\n  tests/certs/expired/ca/ca-private.key:1 [critical] private-key\n  tests/certs/valid/server/server.key:1 [critical] private-key\n```\n\u003e *Real output from [psf/requests](https://github.com/psf/requests) — test certificates flagged as expected*\n\n```\n$ ossguard baseline .\nBaseline Level 1 — L1: 100%, L2: 62%, L3: 0%\n```\n\u003e *Real output from [psf/requests](https://github.com/psf/requests)*\n\n### Dependency Management\n\n| Command | Description |\n|---------|-------------|\n| [`deps`](docs/commands/dependencies.md#deps) | Dependency health — vulns (OSV), risk scores (deps.dev) |\n| [`drift`](docs/commands/dependencies.md#drift) | SBOM diff between releases |\n| [`watch`](docs/commands/dependencies.md#watch) | Continuous vulnerability monitoring |\n| [`reach`](docs/commands/dependencies.md#reach) | Reachability-filtered vulnerability analysis |\n| [`update`](docs/commands/dependencies.md#update) | Security-prioritized dependency updates |\n| [`license`](docs/commands/dependencies.md#license) | License compliance and conflict detection |\n| [`supply-chain`](docs/commands/dependencies.md#supply-chain) | Malicious package + typosquatting detection |\n| [`tpn`](docs/commands/dependencies.md#tpn) | Third-party notice generation |\n\n### Compliance \u0026 Generation\n\n| Command | Description |\n|---------|-------------|\n| [`policy`](docs/commands/compliance.md#policy) | Org-wide security policy enforcement |\n| [`ci`](docs/commands/compliance.md#ci) | Generate unified CI security pipeline |\n| [`report`](docs/commands/compliance.md#report) | Export HTML or JSON compliance report |\n| [`insights`](docs/commands/compliance.md#insights) | Generate or validate SECURITY-INSIGHTS.yml |\n| [`pin`](docs/commands/compliance.md#pin) | Pin GitHub Actions to commit SHAs |\n| [`fix`](docs/commands/compliance.md#fix) | Auto-remediate common security issues |\n| [`sbom-gen`](docs/commands/compliance.md#sbom-gen) | Generate SPDX 2.3 or CycloneDX 1.5 SBOMs |\n| [`compare`](docs/commands/compliance.md#compare) | Compare security posture of two projects |\n\nSee [docs/commands/](docs/commands/) for detailed usage, flags, and output examples for every command.\n\n## Real-World Results\n\nScan results from popular open-source projects (May 2025):\n\n| Project | Grade | Config | Baseline | Badge | Secrets |\n|---------|-------|--------|----------|-------|---------|\n| [psf/requests](https://github.com/psf/requests) | **B** | 3/6 | Level 1 | Silver (80%) | 13 findings |\n| [huggingface/transformers](https://github.com/huggingface/transformers) | **C** | 1/6 | Level 0 | In Progress (70%) | 1 finding |\n| [scikit-learn/scikit-learn](https://github.com/scikit-learn/scikit-learn) | **B** | 3/6 | Level 0 | In Progress (70%) | — |\n| [langchain-ai/langchain](https://github.com/langchain-ai/langchain) | **C** | 1/6 | Level 0 | — | 23 findings |\n| [fastapi/fastapi](https://github.com/fastapi/fastapi) | **B** | 2/6 | Level 0 | — | 400+ findings |\n\n## JSON Output for CI\n\nEvery command supports `--json` for CI/automation pipelines:\n\n```json\n$ ossguard scan --json .\n{\n  \"repo_name\": \"requests\",\n  \"primary_language\": \"python\",\n  \"package_managers\": [\"pip\"],\n  \"has_github_actions\": true,\n  \"has_security_md\": true,\n  \"has_scorecard\": false,\n  \"has_dependabot\": true,\n  \"has_codeql\": true,\n  \"has_sbom_workflow\": false,\n  \"has_sigstore\": false\n}\n```\n\u003e *Real output from [psf/requests](https://github.com/psf/requests)*\n\nSee [docs/ci-integration.md](docs/ci-integration.md) for GitHub Actions, GitLab CI, and quality-gate examples.\n\n## GitHub Action\n\nOSSGuard also ships as a **GitHub Action** that automatically reviews every pull request for OpenSSF compliance and posts results directly on the PR.\n\nAdd `.github/workflows/ossguard.yml` to any repository:\n\n```yaml\nname: OSSGuard\n\non:\n  pull_request:\n    branches: [main]\n\npermissions:\n  contents: read\n  pull-requests: write\n  statuses: write\n\njobs:\n  security-review:\n    name: Security Review\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n\n      - uses: kirankotari/ossguard-app@v1.0.0\n        with:\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n### What You'll See on Your PR\n\nOSSGuard posts a comment with a security review table and sets a commit status check:\n\n\u003e **OSSGuard Security Review**\n\u003e\n\u003e | Check | Status | Severity | Details |\n\u003e |-------|--------|----------|---------|\n\u003e | Dependency Pinning | :warning: Warn | Warning | 2 action(s) not pinned to SHA |\n\u003e | Security Policy | :white_check_mark: Pass | Warning | SECURITY.md found |\n\u003e | License | :white_check_mark: Pass | Warning | Apache-2.0 license detected |\n\u003e | Secrets Scan | :white_check_mark: Pass | Error | No secrets detected in PR diff |\n\u003e | CodeQL / SAST | :white_check_mark: Pass | Warning | CodeQL configured |\n\u003e | Branch Protection | :white_check_mark: Pass | Info | Branch protection enabled |\n\u003e | Dependency Review | :white_check_mark: Pass | Info | Dependabot configured |\n\u003e\n\u003e **6 passed** | **1 warning**\n\nThe status check shows:\n- **Green** (success) — all checks passed\n- **Yellow** (neutral) — warnings found, not blocking\n- **Red** (failure) — critical issues (e.g., leaked secrets)\n\nSee [ossguard-app](https://github.com/kirankotari/ossguard-app) for configuration options and the full list of 8 analyzers.\n\n## Implementations\n\nOSSGuard is available in three language implementations with identical command sets:\n\n| | Python | Go | Node.js |\n|---|---|---|---|\n| **Source** | [ossguard-python](https://github.com/kirankotari/ossguard-python) | [ossguard-go](https://github.com/kirankotari/ossguard-go) | [ossguard-npm](https://github.com/kirankotari/ossguard-npm) |\n| **Install** | `pip install ossguard` | `brew install kirankotari/tap/ossguard` | `npx ossguard` |\n| **Size** | ~104 KB (wheel) | ~8.6 MB (static binary) | ~128 KB (tarball) |\n| **UI** | Rich tables, colored panels | Plain text, CI-friendly | Plain text |\n| **Best for** | Developer workstation | CI pipelines, automation | Node.js projects |\n| **Commands** | 27 | 27 | 27 |\n\nSee [docs/implementations.md](docs/implementations.md) for a detailed comparison.\n\n## Documentation\n\n| Document | Description |\n|----------|-------------|\n| [Getting Started](docs/getting-started.md) | First-time setup and walkthrough |\n| [Installation](docs/installation.md) | All install methods with verification |\n| [Command Reference](docs/commands/) | Detailed docs for all 27 commands |\n| [Architecture](docs/architecture.md) | How OSSGuard works internally |\n| [CI Integration](docs/ci-integration.md) | GitHub Actions, GitLab CI examples |\n| [Implementations](docs/implementations.md) | Python vs Go vs Node.js comparison |\n| [Releasing](docs/releasing.md) | Coordinated release process |\n| [FAQ](docs/faq.md) | Frequently asked questions |\n\n## How OSSGuard Relates to OpenSSF\n\nOSSGuard makes it trivially easy to adopt the tools that [OpenSSF](https://openssf.org/) working groups have built:\n\n| OpenSSF Initiative | OSSGuard Command |\n|--------------------|------------------|\n| [Scorecard](https://scorecard.dev/) | `scan`, `audit` |\n| [SLSA](https://slsa.dev/) | `slsa` |\n| [Sigstore](https://sigstore.dev/) | `init` (sigstore workflow) |\n| [SBOM Everywhere](https://github.com/ossf/sbom-everywhere) | `sbom-gen`, `drift` |\n| [Best Practices Badge](https://www.bestpractices.dev/) | `badge` |\n| [OSPS Baseline](https://baseline.openssf.org/) | `baseline` |\n| [S2C2F](https://github.com/ossf/s2c2f) | `maturity` |\n| [CVD Guide](https://github.com/ossf/oss-vulnerability-guide) | `init` (SECURITY.md) |\n| [SCM Best Practices](https://best.openssf.org/SCM-BestPractices/) | `pin`, `init` (branch protection) |\n\n## Contributing\n\nContributions are welcome! Please see the [Contributing Guide](CONTRIBUTING.md) for general guidelines, or jump directly to a language implementation:\n\n- [ossguard-python](https://github.com/kirankotari/ossguard-python) — Python (reference implementation)\n- [ossguard-go](https://github.com/kirankotari/ossguard-go) — Go\n- [ossguard-npm](https://github.com/kirankotari/ossguard-npm) — Node.js\n\nFor bugs and feature requests, please [open an issue](https://github.com/kirankotari/ossguard/issues).\n\n## License\n\nApache-2.0 — see [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkirankotari%2Fossguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkirankotari%2Fossguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkirankotari%2Fossguard/lists"}