{"id":13467041,"url":"https://github.com/openziti/ziti","last_synced_at":"2026-04-02T15:10:42.802Z","repository":{"id":37291465,"uuid":"223431735","full_name":"openziti/ziti","owner":"openziti","description":"The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti","archived":false,"fork":false,"pushed_at":"2026-02-27T22:38:32.000Z","size":31805,"stargazers_count":3894,"open_issues_count":271,"forks_count":236,"subscribers_count":38,"default_branch":"main","last_synced_at":"2026-02-27T22:49:36.080Z","etag":null,"topics":["appsec","golang","mesh","netsec","network","networking","overlay","overlay-network","secure-networking","vpn","vpn-2","zero-trust","zero-trust-cloud","zero-trust-network","zero-trust-network-access","zero-trust-security","zerotrust","ztaa","ztha","ztna"],"latest_commit_sha":null,"homepage":"https://openziti.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openziti.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-11-22T15:27:24.000Z","updated_at":"2026-02-27T21:32:43.000Z","dependencies_parsed_at":"2025-12-30T05:10:00.427Z","dependency_job_id":null,"html_url":"https://github.com/openziti/ziti","commit_stats":{"total_commits":5072,"total_committers":55,"mean_commits":92.21818181818182,"dds":0.7271293375394321,"last_synced_commit":"e7a5fdf12a9acaac969325ce420e930c4ea05b1b"},"previous_names":["netfoundry/ziti-cmd"],"tags_count":274,"template":false,"template_full_name":null,"purl":"pkg:github/openziti/ziti","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openziti%2Fziti","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openziti%2Fziti/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openziti%2Fziti/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openziti%2Fziti/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openziti","download_url":"https://codeload.github.com/openziti/ziti/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openziti%2Fziti/sbom","scorecard":{"id":279763,"data":{"date":"2025-08-11","repo":{"name":"github.com/openziti/ziti","commit":"71ecf3fcf07d3c66ccc727a0931e91d1d0f22db0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.7,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 29 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:187","Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: no topLevel permission defined: .github/workflows/codespell.yml:1","Warn: no topLevel permission defined: .github/workflows/fablab-db-creation.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yml:5","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Warn: no topLevel permission defined: .github/workflows/mattermost-channel-posts.yml:1","Warn: no topLevel permission defined: .github/workflows/mattermost-webhook.yml:1","Warn: no topLevel permission defined: .github/workflows/promote-downstreams.yml:1","Warn: no topLevel permission defined: .github/workflows/publish-docker-images.yml:1","Warn: no topLevel permission defined: .github/workflows/publish-linux-packages.yml:1","Warn: no topLevel permission defined: .github/workflows/release-quickstart.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/test-cloudfront-proxy.yml:1","Warn: no topLevel permission defined: .github/workflows/test-deployments.yml:1","Warn: no topLevel permission defined: .github/workflows/test-quickstart.yml:1","Warn: no topLevel permission defined: .github/workflows/update-dependency.yml:1","Warn: no topLevel permission defined: .github/workflows/validation-links.yml:1","Warn: no topLevel permission defined: .github/workflows/validation-sdk-terminators.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.6.7 not signed: https://api.github.com/repos/openziti/ziti/releases/239483438","Warn: release artifact v1.6.6 not signed: https://api.github.com/repos/openziti/ziti/releases/235237778","Warn: release artifact v1.6.5 not signed: https://api.github.com/repos/openziti/ziti/releases/231195497","Warn: release artifact v1.6.3 not signed: https://api.github.com/repos/openziti/ziti/releases/226225424","Warn: release artifact v1.6.2 not signed: https://api.github.com/repos/openziti/ziti/releases/222452305","Warn: release artifact v1.6.7 does not have provenance: https://api.github.com/repos/openziti/ziti/releases/239483438","Warn: release artifact v1.6.6 does not have provenance: https://api.github.com/repos/openziti/ziti/releases/235237778","Warn: release artifact v1.6.5 does not have provenance: https://api.github.com/repos/openziti/ziti/releases/231195497","Warn: release artifact v1.6.3 does not have provenance: https://api.github.com/repos/openziti/ziti/releases/226225424","Warn: release artifact v1.6.2 does not have provenance: https://api.github.com/repos/openziti/ziti/releases/222452305"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release-quickstart.yml:13"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Info: Possibly incomplete results: error parsing shell code: parameter expansion requires a literal: quickstart/docker/image/ziti-cli-functions.sh:0","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codeql.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codespell.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codespell.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/codespell.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/codespell.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fablab-db-creation.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/fablab-db-creation.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fablab-db-creation.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/fablab-db-creation.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/fablab-db-creation.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/fablab-db-creation.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/golangci-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/golangci-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/golangci-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:115: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:155: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:282: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:314: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:319: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:324: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:327: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:376: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:392: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:187: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:197: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:250: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:266: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:407: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:451: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:456: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:461: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:466: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:469: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:476: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:483: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/mattermost-channel-posts.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/mattermost-channel-posts.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/mattermost-channel-posts.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/mattermost-channel-posts.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/mattermost-webhook.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/mattermost-webhook.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-downstreams.yml:89: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/promote-downstreams.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-downstreams.yml:129: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/promote-downstreams.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-downstreams.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/promote-downstreams.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/promote-downstreams.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/promote-downstreams.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/promote-downstreams.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/promote-downstreams.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:91: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-docker-images.yml:173: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-docker-images.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-linux-packages.yml:51: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-linux-packages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-linux-packages.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-linux-packages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-linux-packages.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-linux-packages.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/publish-linux-packages.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/publish-linux-packages.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:66: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-quickstart.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:195: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:200: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:205: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:210: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:215: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:222: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:229: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:295: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:103: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:108: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:137: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:153: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:158: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-cloudfront-proxy.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-cloudfront-proxy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:235: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:239: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:256: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:260: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:265: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:71: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-deployments.yml:194: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-deployments.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:104: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-quickstart.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/test-quickstart.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-dependency.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/update-dependency.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-dependency.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/update-dependency.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-dependency.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/update-dependency.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validation-links.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-links.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validation-links.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-links.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validation-links.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-links.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validation-links.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-links.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validation-links.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-links.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validation-sdk-terminators.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-sdk-terminators.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validation-sdk-terminators.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-sdk-terminators.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validation-sdk-terminators.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-sdk-terminators.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/validation-sdk-terminators.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-sdk-terminators.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validation-sdk-terminators.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/openziti/ziti/validation-sdk-terminators.yml/main?enable=pin","Warn: containerImage not pinned by hash: dist/docker-images/cross-build/Dockerfile:1: pin your Docker image by updating debian:bullseye-slim to debian:bullseye-slim@sha256:849d9d34d5fe0bf88b5fb3d09eb9684909ac4210488b52f4f7bbe683eedcb851","Warn: containerImage not pinned by hash: dist/docker-images/ziti-cli/Dockerfile:5","Warn: containerImage not pinned by hash: dist/docker-images/ziti-cli/Dockerfile:7: pin your Docker image by updating registry.access.redhat.com/ubi9/ubi-minimal to registry.access.redhat.com/ubi9/ubi-minimal@sha256:8d905a93f1392d4a8f7fb906bd49bf540290674b28d82de3536bb4d0898bf9d7","Warn: containerImage not pinned by hash: dist/docker-images/ziti-controller/Dockerfile:7","Warn: containerImage not pinned by hash: dist/docker-images/ziti-controller/Dockerfile:9","Warn: containerImage not pinned by hash: dist/docker-images/ziti-router/Dockerfile:4","Warn: containerImage not pinned by hash: dist/docker-images/ziti-tunnel/Dockerfile:5","Warn: containerImage not pinned by hash: quickstart/docker/image/Dockerfile:1","Warn: containerImage not pinned by hash: quickstart/docker/image/Dockerfile:28: pin your Docker image by updating ubuntu:rolling to ubuntu:rolling@sha256:478be0e56353c3160cad9ae534108a3c9f9c52f33d1217414b977ff4253ed018","Warn: containerImage not pinned by hash: quickstart/docker/image/TestDockerfile:1: pin your Docker image by updating ubuntu:20.04 to ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214","Warn: goCommand not pinned by hash: dist/docker-images/cross-build/Dockerfile:33","Warn: goCommand not pinned by hash: .github/workflows/main.yml:60","Warn: goCommand not pinned by hash: .github/workflows/main.yml:98","Warn: goCommand not pinned by hash: .github/workflows/main.yml:133","Warn: goCommand not pinned by hash: .github/workflows/main.yml:262","Warn: goCommand not pinned by hash: .github/workflows/main.yml:388","Warn: pipCommand not pinned by hash: .github/workflows/release-quickstart.yml:153","Warn: goCommand not pinned by hash: .github/workflows/release.yml:43","Warn: goCommand not pinned by hash: .github/workflows/release.yml:81","Warn: goCommand not pinned by hash: .github/workflows/release.yml:124","Warn: pipCommand not pinned by hash: .github/workflows/test-cloudfront-proxy.yml:28","Info:   0 out of  89 GitHub-owned GitHubAction dependencies pinned","Info:   2 out of  51 third-party GitHubAction dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   0 out of  10 containerImage dependencies pinned","Info:   8 out of  17 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":0,"reason":"19 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2019-217 / GHSA-462w-v97r-4m45","Warn: Project is vulnerable to: PYSEC-2014-8 / GHSA-8r7q-cvjq-x353","Warn: Project is vulnerable to: GHSA-cpwx-vrp4-4pq7","Warn: Project is vulnerable to: PYSEC-2014-82 / GHSA-fqh9-2qgg-h84h","Warn: Project is vulnerable to: PYSEC-2021-66 / GHSA-g3rq-g295-4j3m","Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95","Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj","Warn: Project is vulnerable to: PYSEC-2019-220 / GHSA-hj2j-77xm-mc5v","Warn: Project is vulnerable to: GHSA-q2x7-8rv6-6q7h","Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: PYSEC-2018-49 / GHSA-rprw-h62v-c2w7","Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg","Warn: Project is vulnerable to: GHSA-q7pp-wcgr-pffx","Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T15:26:27.856Z","repository_id":37291465,"created_at":"2025-08-17T15:26:27.856Z","updated_at":"2025-08-17T15:26:27.856Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29993603,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T01:47:34.672Z","status":"online","status_checked_at":"2026-03-02T02:00:07.342Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","golang","mesh","netsec","network","networking","overlay","overlay-network","secure-networking","vpn","vpn-2","zero-trust","zero-trust-cloud","zero-trust-network","zero-trust-network-access","zero-trust-security","zerotrust","ztaa","ztha","ztna"],"created_at":"2024-07-31T15:00:52.525Z","updated_at":"2026-04-02T15:10:42.786Z","avatar_url":"https://github.com/openziti.png","language":"Go","funding_links":[],"categories":["Go","Zero Trust","golang","Networking \u0026 Connectivity","vpn","零信任"],"sub_categories":["Utility/Miscellaneous","Routers","路由器"],"readme":"\u003c!-- markdownlint-disable MD033 --\u003e\n\n[![Build Status](https://github.com/openziti/ziti/actions/workflows/main.yml/badge.svg?query=branch%3Arelease-next)](https://github.com/openziti/ziti/actions/workflows/main.yml?query=branch%3Arelease-next)\n[![Go Report Card](https://goreportcard.com/badge/github.com/openziti/ziti)](https://goreportcard.com/report/github.com/openziti/ziti)\n[![GoDoc](https://godoc.org/github.com/openziti/ziti?status.svg)](https://pkg.go.dev/github.com/openziti/ziti)\n[![Discourse](https://img.shields.io/badge/Discourse-forum-blue?logo=discourse)](https://openziti.discourse.group/)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/openziti/ziti/blob/main/LICENSE)\n[![GitHub Stars](https://img.shields.io/github/stars/openziti/ziti?style=social)](https://github.com/openziti/ziti)\n\n# OpenZiti\n\nOpenZiti is an open-source zero-trust networking platform that makes network services invisible to unauthorized users. Every connection, whether from a user, a service, a device, or a workload, is authenticated with cryptographic identity, authorized by policy, and encrypted end-to-end.\n\nOpenZiti works with both existing applications (using lightweight tunnelers with no code changes required) and new applications (using embedded SDKs for the strongest zero-trust model). This makes it practical for both brownfield environments and greenfield development.\n\nCreated and sponsored by [NetFoundry](https://netfoundry.io). Licensed under [Apache 2.0](LICENSE).\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./doc/images/openziti-architecture.svg\" alt=\"OpenZiti Architecture: Controller, Edge Routers, SDKs, and Tunnelers\" width=\"100%\"/\u003e\n\u003c/p\u003e\n\n---\n\n## Table of Contents\n\n- [Use Cases](#use-cases)\n- [Key Capabilities](#key-capabilities)\n- [Three Deployment Models](#three-deployment-models)\n- [Getting Started](#getting-started)\n- [Architecture](#architecture)\n- [Zero Trust, Dark Services, and End-to-End Encryption](#zero-trust-dark-services-and-end-to-end-encryption)\n- [SDKs](#sdks)\n- [Community \u0026 Support](#community--support)\n- [Contributing](#contributing)\n- [Adopters](#adopters)\n- [Managed Solution](#managed-solution)\n\n---\n\n## Use Cases\n\nOpenZiti enables you to extend zero-trust anywhere for any use case, including non-human workloads and workflows, across multiple networks and third parties.  The following are some common use cases.\n\n### Replace VPNs\n\nProvide secure access to internal services without VPN clients, split tunneling headaches, or concentrator bottlenecks. Each service is individually authorized. No \"once you're in, you can reach everything\" problem.\n\n### Dark APIs and Services\n\nMake APIs and services invisible to the internet. Zero listening ports means zero attack surface. Authorized clients connect through OpenZiti; everyone else sees nothing.\n\n### IoT and Non-Human Identity\n\nGive every device, sensor, and machine a unique cryptographic identity. OpenZiti's identity model works for non-human workloads just as well as human users, providing strong authentication for the machine-to-machine connections that make up the majority of modern network traffic.\n\n### Zero Trust Workloads\n\nSecure workload-to-workload communication across clouds and environments. Services authenticate each other with cryptographic identity, not network location. No shared secrets, no IP allowlists, no ambient authority.\n\n### Agentic AI\n\nSecure agent-to-service and agent-to-agent communication with cryptographic identity for every AI participant. MCP servers, tool endpoints, and private LLMs stay dark, with no listening ports or public URLs. Agents authenticate with strong, unique identities and reach only the resources that the policy allows, so autonomous workflows get the access they need without ambient authority over everything else.\n\n### Multi-Cloud and Hybrid Connectivity\n\nOne overlay network across AWS, Azure, GCP, on-prem data centers, and edge locations. No cloud-specific networking tools, no VPN tunnels between environments, no complex peering arrangements.\n\n### Self-Hosted Service Access\n\nAccess home lab or self-hosted services like Nextcloud, Home Assistant, media servers, and development environments from anywhere. No open router ports, no dynamic DNS, no reliance on third-party tunnel services. You control the entire path.\n\n### Kubernetes and Cross-Cluster Services\n\nConnect services across Kubernetes clusters without complex ingress rules, service mesh sidecars, or VPN tunnels between clusters. Works beyond Kubernetes, supporting connecting k8s services to VMs, bare metal, IoT devices, or anything else on the overlay.\n\n---\n\n## Key Capabilities\n\n| Capability | Description |\n|---|---|\n| **Dark Services** | Services have zero listening ports. Invisible to scanners and unauthorized users. |\n| **Identity for Everything** | Cryptographic identity for users, services, devices, and non-human workloads (NHI). Not IP-based. |\n| **Identity-Based Operations** | Manage networks through identities and policies instead of IP addresses and firewall rules. Simplifies operations and eliminates manual network configuration. |\n| **End-to-End Encryption** | Data encrypted from source to destination using libsodium. mTLS for authentication. Zero trust in the network path. |\n| **No VPNs or Open Ports** | Connections route through OpenZiti's overlay. No VPN clients, no inbound firewall rules, no exposed ports. |\n| **Smart Routing** | Mesh fabric with intelligent path selection for performance and reliability. |\n| **Flexible Deployment** | Embed SDKs, use tunnelers, or deploy at the network level. Mix and match per service. |\n| **Policy-Driven Access** | Fine-grained, identity-based policies. Access can be revoked in real time, closing active connections. |\n| **Programmable REST APIs** | Full management API for automation and integration. Web-based admin console included. |\n| **Fully Self-Hostable** | Run the entire platform on your infrastructure. No vendor dependencies. Open source, Apache 2.0. |\n\n---\n\n## Three Deployment Models\n\nOpenZiti supports three zero-trust models. Mix them in a single network and migrate between them over time.\n\n### Network Access\n\nDeploy an OpenZiti edge router in a trusted network zone. Traffic enters the overlay from authenticated clients and exits into the private network where services run.\n\n- **Code changes:** None\n- **Agent on service host:** None\n- **Security model:** Identity-based access at the network boundary. Similar to a gateway, but with cryptographic identity and encrypted transport.\n\n### Host Access\n\nRun an OpenZiti tunneler on the same host as your service. The tunneler handles identity, authentication, and encryption. The service only needs to accept connections from localhost.\n\n- **Code changes:** None\n- **Setup:** Install tunneler, enroll identity\n- **Security model:** Trust boundary at the host OS. Service is dark to the network and only reachable through the tunneler.\n\n### Application Access (Strongest)\n\nEmbed an OpenZiti SDK directly in client and/or server applications. The application itself holds the cryptographic identity and encrypts traffic in-process. No listening ports exist, not even on localhost.\n\n- **Code changes:** Yes\n- **Security model:** Strongest. End-to-end encryption in-process. Fully dark. Identity at the application layer, not the network, not the host.\n\n\u003e **Where to start:** Many teams begin with **Host Access** (tunnelers) for existing services. It deploys in minutes with no code changes. For new development or high-security workloads, **Application Access** (SDKs) provides the strongest zero-trust posture.\n\n---\n\n## Getting Started\n\nThe following Quick Starts show how to set up a local OpenZiti network for development, testing, and learning.  For production deployments, see the product documentation at https://netfoundry.io/docs/openziti/category/deployments/.\n\n### Quick Start with Docker\n\nThe fastest way to get a local OpenZiti network running:\n\n```bash\nwget https://get.openziti.io/dock/all-in-one/compose.yml\ndocker compose up\n```\n\nThis starts a controller, edge router, and the Ziti console in a single compose stack. The console is available at `https://localhost:1280/zac/`. From here you can create identities, define services, and configure access policies.\n\nSee the [all-in-one Docker quickstart](./quickstart/docker/all-in-one) for full details including storage options, environment variables, and CLI usage.\n\n### Quick Start with the CLI\n\nDownload the latest `ziti` binary from [GitHub Releases](https://github.com/openziti/ziti/releases/latest), then:\n\n```bash\nziti edge quickstart\n```\n\nThis brings up a local development network: controller, router, and a default admin identity. Ideal for testing and learning.\n\n### Learn More\n\n| Resource | Description |\n|---|---|\n| [Introduction](https://netfoundry.io/docs/openziti/learn/introduction/) | Core concepts and how OpenZiti works |\n| [Quickstart Guides](https://netfoundry.io/docs/openziti/learn/quickstarts/) | Step-by-step setup for local, Docker, and hosted environments |\n| [Zero Trust Models](https://netfoundry.io/docs/openziti/learn/core-concepts/zero-trust-models/overview/) | Deep dive into the three deployment models |\n| [Tunneler Reference](https://netfoundry.io/docs/openziti/reference/tunnelers/) | Get started with zero code changes |\n\n---\n\n## Architecture\n\nOpenZiti's overlay network runs on top of existing infrastructure: any IP network, any cloud, any combination. The core components:\n\n### Controller\n\nThe controller is the management plane. It handles:\n\n- **Identity management**: issues and verifies cryptographic identities (x509 certificates) for every participant in the network\n- **Policy enforcement**: defines which identities can access which services, through which edge routers\n- **Network state**: tracks routers, services, and topology; provides a REST API and web-based admin console for management\n\n### Edge Routers\n\nEdge routers form the data plane, a mesh fabric that carries encrypted traffic between endpoints.\n\n- **Public routers** are reachable from the internet, serving as entry points to the network\n- **Private (\"dark\") routers** are deployed inside private networks with only outbound connections\n\nRouters automatically discover each other, form mesh connections, and use smart routing to select the best path based on latency, throughput, and cost.\n\n### Endpoints: SDKs and Tunnelers\n\nEndpoints are how applications and users connect to the OpenZiti network:\n\n- **SDKs** (Go, C, Python, Node.js, Java, Swift, C#): embed zero trust directly in your application. The app itself holds the identity and handles encryption. No sidecar, no agent, no listening ports.\n\n- **Tunnelers** (Linux, Windows, macOS, iOS, Android): lightweight apps that provide OpenZiti connectivity to unmodified software. Traffic is intercepted and routed through the overlay transparently. No code changes required.\n\n---\n\n## Zero Trust, Dark Services, and End-to-End Encryption\n\n### Zero Trust and Application Segmentation\n\nEvery participant (e.g., user, service, device, workload) in an OpenZiti network carries a unique cryptographic identity backed by x509 certificates. When a connection is attempted, OpenZiti verifies:\n\n1. The identity is valid and enrolled\n2. A policy exists granting that identity access to the requested service\n3. The connection is through an authorized edge router\n\nIf any check fails, the connection is denied. If access is later revoked, active connections are terminated immediately. There is no implicit trust based on network location. Being on the same LAN grants no more access than being across the internet, unless policy explicitly allows it.\n\nThis model provides zero trust application segmentation: each service is independently authorized. Gaining access to one service does not grant access to any other.\n\n### Dark Services\n\nA \"dark\" service has no open ports. It doesn't listen on any network interface for incoming connections. Instead, the service (or a tunneler alongside it) makes an **outbound** connection to an OpenZiti edge router and registers itself. Clients reach it only through the OpenZiti fabric, after authentication and authorization.\n\nWhat this means in practice:\n\n- **Port scans find nothing**: there are no listening ports to discover\n- **No attack surface**: you can't exploit what you can't reach\n- **DDoS resistance**: there is no public endpoint to flood\n- **Invisible to unauthorized users**: only identities with matching policy even know the service exists\n- **NAT and firewall friendly**: all connections are outbound, so CG-NAT, double-NAT, and restrictive firewalls are not a concern\n\nEdge routers can also be dark. Private routers make only outbound connections, so no inbound firewall rules are needed in your private network.\n\n### End-to-End Encryption\n\nWith OpenZiti SDKs, traffic is encrypted from the sending application to the receiving application using libsodium for the data path and mTLS for identity authentication. Even if routers or intermediate networks are compromised, traffic cannot be decrypted or tampered with.\n\nWith tunnelers, encryption covers the path from tunneler to tunneler (or tunneler to SDK), providing machine-to-machine encryption without application changes.\n\n---\n\n## SDKs\n\nEmbed zero-trust networking directly in your applications:\n\n| Language | Repository | Notes |\n|---|---|---|\n| Go | [sdk-golang](https://github.com/openziti/sdk-golang) | Used by the OpenZiti project itself |\n| C | [ziti-sdk-c](https://github.com/openziti/ziti-sdk-c) | Ideal for embedded systems, IoT, and high-performance use cases |\n| Java / Kotlin | [ziti-sdk-jvm](https://github.com/openziti/ziti-sdk-jvm) | Includes Android support |\n| Swift | [ziti-sdk-swift](https://github.com/openziti/ziti-sdk-swift) | iOS and macOS |\n| Node.js | [ziti-sdk-nodejs](https://github.com/openziti/ziti-sdk-nodejs) | |\n| C# / .NET | [ziti-sdk-csharp](https://github.com/openziti/ziti-sdk-csharp) | |\n| Python | [ziti-sdk-py](https://github.com/openziti/ziti-sdk-py) | |\n\nAll SDKs are listed under the [OpenZiti GitHub organization](https://github.com/openziti).\n\n---\n\n## Security\n\nOpenZiti is a security-focused project. Responsible disclosure of vulnerabilities helps us keep the platform and its users safe.\n\n**Reporting a vulnerability:** If you discover a security issue, please review our [Vulnerability Disclosure Policy](https://github.com/openziti/security/blob/main/vulnerability_disclosure_policy.md) for full details. Sensitive issues should be reported to **security@openziti.org**. Non-sensitive issues can be filed as GitHub issues in the appropriate repository. You should receive a response within 7 days.\n\n**How we handle vulnerabilities:** Our [Product Security Incident Response Process](https://github.com/openziti/security/blob/main/product_security_incident_response_process.md) describes how reported vulnerabilities are triaged, documented, and resolved — including how CVE releases are coordinated with fixes.\n\n**Safe harbor:** OpenZiti and NetFoundry will not pursue legal action against anyone who researches and reports vulnerabilities in good faith. We encourage security research and attribute reported findings to their reporters in advisories and release notes.\n\n---\n\n## Community \u0026 Support\n\nOpenZiti has an active and growing community:\n\n- **[Discourse Forum](https://openziti.discourse.group/)**: Ask questions, share projects, get help from the community and maintainers\n- **[YouTube](https://www.youtube.com/@OpenZiti)**: Tutorials, demos, and deep dives\n- **[Blog](https://blog.openziti.io)**: Project updates and technical articles\n- **[Twitter/X](https://twitter.com/openziti)**: News and announcements\n\n---\n\n## Contributing\n\nThe OpenZiti project welcomes contributions including code, documentation, bug reports, and feedback.\n\n### Key Repositories\n\n| Repository | Description |\n|---|---|\n| [openziti/ziti](https://github.com/openziti/ziti) | Core platform: controller, routers, CLI |\n| [sdk-golang](https://github.com/openziti/sdk-golang) | Go SDK |\n| [ziti-sdk-c](https://github.com/openziti/ziti-sdk-c) | C SDK |\n| [ziti-sdk-jvm](https://github.com/openziti/ziti-sdk-jvm) | Java / Kotlin / Android SDK |\n| [ziti-sdk-swift](https://github.com/openziti/ziti-sdk-swift) | Swift / iOS SDK |\n| [ziti-sdk-nodejs](https://github.com/openziti/ziti-sdk-nodejs) | Node.js SDK |\n| [ziti-sdk-csharp](https://github.com/openziti/ziti-sdk-csharp) | C# SDK |\n| [ziti-sdk-py](https://github.com/openziti/ziti-sdk-py) | Python SDK |\n| [ziti-tunnel-sdk-c](https://github.com/openziti/ziti-tunnel-sdk-c) | Linux tunneler and core tunneler SDK |\n| [ziti-tunnel-apple](https://github.com/openziti/ziti-tunnel-apple) | macOS and iOS edge clients |\n| [desktop-edge-win](https://github.com/openziti/desktop-edge-win) | Windows desktop edge client |\n| [ziti-doc](https://github.com/openziti/ziti-doc) | Documentation site |\n\n### Building from Source\n\nSee the [local development tutorial](./doc/002-local-dev.md) for build instructions.\n\n### Developer Documentation\n\n- [Developer Overview](./doc/001-overview.md)\n- [Local Development](./doc/002-local-dev.md)\n- [Local Deployment](./doc/003-local-deploy.md)\n- [Controller PKI](./doc/004-controller-pki.md)\n- [Release Notes](./CHANGELOG.md)\n\n---\n\n## Adopters\n\nOpenZiti is used in production by organizations including [DeltaSecure](https://deltasecure.de/) (managed SOC), [Resulticks](https://www.resulticks.com/) (marketing automation), [Chirp Wireless](https://chirpwireless.io/) (IoT/telecom), [GIGO Dev](https://gigo.dev/) (cloud dev environments), [OSMIT](https://osmit.de/) (managed IT/GDPR compliance), and open-source projects like [zrok](https://zrok.io) and [BlueBubbles](https://bluebubbles.app).\n\nSee the full list: **[ADOPTERS.md](./ADOPTERS.md)**. Using OpenZiti? We'd love to add you — open an issue or submit a PR.\n\n---\n\n## Managed Solution\n\nFor zero-trust networking without managing your own infrastructure, [NetFoundry](https://netfoundry.io/docs/openziti/#deploy_an_overlay) provides a fully managed, globally distributed OpenZiti network as a service, with SLAs, enterprise support, and a global fabric of edge routers.\n\n---\n\n*OpenZiti is developed and open-sourced by [NetFoundry, Inc](https://netfoundry.io).*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenziti%2Fziti","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenziti%2Fziti","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenziti%2Fziti/lists"}