{"id":47928313,"url":"https://github.com/open-component-model/open-delivery-gear","last_synced_at":"2026-04-04T07:02:56.133Z","repository":{"id":347296291,"uuid":"1184455235","full_name":"open-component-model/open-delivery-gear","owner":"open-component-model","description":"Home of ODG, an extensible and cloud-native compliance delivery engine","archived":false,"fork":false,"pushed_at":"2026-03-27T15:09:24.000Z","size":254,"stargazers_count":2,"open_issues_count":21,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-27T20:40:46.388Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/open-component-model.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-17T15:51:04.000Z","updated_at":"2026-03-27T15:09:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/open-component-model/open-delivery-gear","commit_stats":null,"previous_names":["open-component-model/open-delivery-gear"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/open-component-model/open-delivery-gear","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2Fopen-delivery-gear","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2Fopen-delivery-gear/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2Fopen-delivery-gear/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2Fopen-delivery-gear/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/open-component-model","download_url":"https://codeload.github.com/open-component-model/open-delivery-gear/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-component-model%2Fopen-delivery-gear/sbom","scorecard":{"id":1245320,"data":{"date":"2026-03-27T15:09:38Z","repo":{"name":"github.com/open-component-model/open-delivery-gear","commit":"d82767ef7206ca7bc977d1253970ce2660e9f728"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":5.1,"checks":[{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Code-Review","score":6,"reason":"Found 3/5 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/open-component-model/open-delivery-gear/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/open-component-model/open-delivery-gear/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/open-component-model/open-delivery-gear/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/open-component-model/open-delivery-gear/scorecard.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/open-component-model/.github/SECURITY.md:1","Info: Found linked content: github.com/open-component-model/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/open-component-model/.github/SECURITY.md:1","Info: Found text in security policy: github.com/open-component-model/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Dependency-Update-Tool","score":0,"reason":"no update tool detected","details":["Warn: no dependency update tool configurations found"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Contributors","score":10,"reason":"project has 7 contributing companies or organizations","details":["Info: found contributions from: SAP, gardener, keycloud, open-component-model, openmonitor, run-it-down, sap @gardener"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 4 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"CI-Tests","score":0,"reason":"0 out of 4 merged PRs checked by a CI test -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}}]},"last_synced_at":"2026-03-28T02:33:02.394Z","repository_id":347296291,"created_at":"2026-03-28T02:33:02.394Z","updated_at":"2026-03-28T02:33:02.394Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31390695,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T04:26:24.776Z","status":"ssl_error","status_checked_at":"2026-04-04T04:23:34.147Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-04T07:02:54.852Z","updated_at":"2026-04-04T07:02:56.113Z","avatar_url":"https://github.com/open-component-model.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\t\u003cimg src=\"resources/odg.svg\" alt=\"Open Delivery Gear Logo\" /\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eOpen Delivery Gear\u003c/h1\u003e\n\nOpen Delivery Gear (ODG) is a production-ready compliance automation engine built for software components modelled with the [Open Component Model](https://ocm.software).\nIt helps teams continuously scan delivery artifacts, keep findings actionable, and enforce service-level expectations through automation.\nODG implements a trust-but-verify solution for public and **sovereign clouds**.\n\nThe project is under neutral governance by the [NeoNephos Foundation](https://neonephos.org), as part of the [Apeiro Reference Architecture](https://apeirora.eu).\n\n[![REUSE status](https://api.reuse.software/badge/github.com/open-component-model/open-delivery-gear)](https://api.reuse.software/info/github.com/open-component-model/open-delivery-gear)\n[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12270/baseline)](https://www.bestpractices.dev/projects/12270)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/open-component-model/open-delivery-gear/badge)](https://scorecard.dev/viewer/?uri=github.com/open-component-model/open-delivery-gear)\n\n## Index\n\n- [What Is It?](#what-is-it)\n  - [How Does It Work?](#how-does-it-work)\n  - [Look and Feel](#look-and-feel)\n- [Getting Started](#getting-started)\n- [Community](#community)\n- [Documentation](#documentation)\n- [Contributing](#contributing)\n- [Licensing](#licensing)\n\n## What Is It?\n\nODG is an extensible security and compliance automation toolbox designed for cloud-native delivery and Kubernetes-centric environments.\n\n**Core capabilities include**:\n\n- Kubernetes-native deployment and operating model\n- Asynchronous and autonomous security and compliance scans\n- Extensible architecture for custom integrations and policies\n- Finding tracking with configurable SLAs\n- \"Trust, but verify\" operating model for delivery assurance\n- Assisted rescoring to extract value from available runtime context information\n\nThe goal is to reduce manual governance effort while increasing confidence in software delivery quality and compliance posture across public and sovereign cloud scenarios.\n\n### How Does It Work?\n\nOpen Delivery Gear follows an automation-first workflow:\n\n- Users subscribe to OCM component versions.\n- Scans are executed automatically and asynchronously.\n- Scanner capacity scales both vertically and horizontally.\n- Findings are tracked against discovery dates and SLA timelines.\n- Assisted rescoring can adjust due dates or classify findings as false positives.\n- Processing remains traceable and transparent.\n- Assessments can be transported and imported via OCM.\n\n### Look and Feel\n\nOpen Delivery Gear is designed for both platform operators and application teams.\nOperators interact with ODG through the Kubernetes API to integrate it into cluster-native workflows.\nEnd users can work with findings and delivery insights either through the Delivery Dashboard UI or via HTTP APIs for automation and integration scenarios.\n\n![Delivery Dashboard](resources/delivery-dashboard.png)\n\n## Getting Started\n\n- [Local Setup using Kind](https://github.com/open-component-model/delivery-service/blob/master/local-setup/local-setup.md)\n- [Standalone installation using Helm](https://github.com/open-component-model/delivery-service/tree/master/charts)\n- [K8s ODG Operator](https://github.com/open-component-model/delivery-service/tree/master/odg_operator)\n- [🚧 openMCP Provider](https://github.com/openmcp-project)\n\n\u003cdetails\u003e\n  \u003csummary\u003eRelated Repositories and Codebases\u003c/summary\u003e\n\n### Core Components and Extensions\n\nThe codebase is distributed across multiple repositories.\n\n#### delivery-service\n\n##### Core APIs\n\n- [Core API](https://github.com/open-component-model/delivery-service/blob/master/app.py)\n- [ODG Database](https://github.com/open-component-model/delivery-service/tree/master/deliverydb)\n- [ODG Operator](https://github.com/open-component-model/delivery-service/tree/master/odg_operator)\n- [OCM Artefact Enumerator](https://github.com/open-component-model/delivery-service/blob/master/artefact_enumerator.py)\n- [Assisted Rescoring](https://github.com/open-component-model/delivery-service/tree/master/rescore)\n- [Scan Backlog Controller](https://github.com/open-component-model/delivery-service/blob/master/backlog_controller.py)\n- [ODG Database Backup](https://github.com/open-component-model/delivery-service/blob/master/delivery_db_backup.py)\n\n##### Extensions\n\n- [Cryptographic Asset Inventory](https://github.com/open-component-model/delivery-service/tree/master/crypto_extension)\n- [Vulnerability Scanner (BDBA)](https://github.com/open-component-model/delivery-service/tree/master/bdba)\n- [GitHub Issues-Based Finding Tracker](https://github.com/open-component-model/delivery-service/tree/master/issue_replicator)\n- [Malware Scanner (ClamAV)](https://github.com/open-component-model/delivery-service/tree/master/malware)\n- [Operating System EoL Detection](https://github.com/open-component-model/delivery-service/tree/master/osid_extension)\n- [DORA Metrics](https://github.com/open-component-model/delivery-service/blob/master/dora.py)\n- [GitHub Secret Scanner](https://github.com/open-component-model/delivery-service/blob/master/ghas.py)\n- [SBoM Generator](https://github.com/open-component-model/delivery-service/blob/master/sbom_generator.py)\n\n#### delivery-dashboard\n\n- [ODG User Interface](https://github.com/open-component-model/delivery-dashboard)\n\n#### cc-utils\n\n- [OCM Language Bindings](https://github.com/gardener/cc-utils/tree/master/ocm)\n- [OCI Client](https://github.com/gardener/cc-utils/tree/master/oci)\n- [ODG Core API Client](https://github.com/gardener/cc-utils/tree/master/delivery)\n\n#### odg-prometheus\n\n- [Monitoring Stack](https://github.com/open-component-model/prometheus)\n\n\u003c/details\u003e\n\n## Community\n\nOpen Delivery Gear is part of the [OCM community](https://ocm.software/community/engagement/).\n\n- Join the regular OCM community call to discuss roadmap topics, integrations, and operational best practices.\n- Use community discussions to share feedback, report gaps, and collaborate on new automation scenarios.\n\n## Documentation\n\n- [Technical Documentation](https://open-component-model.github.io/delivery-service/)\n- [ODG Project Board](https://github.com/orgs/open-component-model/projects/17)\n\n## Contributing\n\nCode contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the\n[Contributing Guide in the Community repository](https://github.com/open-component-model/.github/blob/main/CONTRIBUTING.md)\nfor more information on how to contribute to ODG.\n\nTo make ODG a welcoming and harassment-free experience for everyone, we follow the [NeoNephos Code of Conduct](https://github.com/neonephos/.github/blob/main/CODE_OF_CONDUCT.md).\n\n## Licensing\n\nPlease refer to the [LICENSE](LICENSE) for copyright and license information.\nDetailed information, including third-party components and their licensing/copyright information is available\n[via the REUSE tool](https://api.reuse.software/info/github.com/open-component-model/open-delivery-gear).\n\n---\n\n\u003cp align=\"center\"\u003e\u003cimg alt=\"Bundesministerium für Wirtschaft und Energie (BMWE)-EU funding logo\" src=\"https://apeirora.eu/assets/img/BMWK-EU.png\" width=\"400\"/\u003e\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-component-model%2Fopen-delivery-gear","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopen-component-model%2Fopen-delivery-gear","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-component-model%2Fopen-delivery-gear/lists"}