https://github.com/ossf/security-insights-spec

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.
https://github.com/ossf/security-insights-spec

Last synced: about 2 months ago
JSON representation

OPENSSF SECURITY INSIGHTS: Repository for development of the draft standard, where requests for modification should be made via Github Issues.

• Host: GitHub
• URL: https://github.com/ossf/security-insights-spec
• Owner: ossf
• License: other
• Created: 2022-01-16T23:19:12.000Z (about 3 years ago)
• Default Branch: main
• Last Pushed: 2025-01-10T05:21:24.000Z (3 months ago)
• Last Synced: 2025-01-10T06:34:03.441Z (3 months ago)
• Language: CUE
• Size: 285 KB
• Stars: 56
• Watchers: 11
• Forks: 10
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • Contributing: .github/CONTRIBUTING.md
  • License: LICENSE
  • Security: .github/SECURITY.md
  • Governance: docs/GOVERNANCE.md
  • Roadmap: docs/roadmap/security-insights-v1.1.md

Awesome Lists containing this project

• awesome-software-supply-chain-security - OpenSSF Security Insights Spec

README

        
[](https://openssf.slack.com/messages/security_insights/)

# Security Insights Specification

This specification provides a mechanism for projects to report information about their security in a machine-processable way. It is formatted as a YAML file to make it easy to read and edit by humans.

The data tracked within this specification is intended to fill the gaps between simplified solutions such as `SECURITY.md` and comprehensive automatable solutions such as SBOMs. In that gap lay elements that must be self-reported by projects to allow end-users to make informed security decisions.

## Usage

Projects should include a `security-insights.yml` file in the root of their repository, or in the appropriate source forge directory such as `.github/` or `.gitlab/`. Users should assume the contents of that file will be updated any time the relevant information changes.

To ensure you are adhering to an official version of the specification, please refer to the `specification.md` in the [latest release](https://github.com/ossf/security-insights/releases/latest), which is a versioned compilation of all details.

This repository often remains unchanged from the latest release, but may diverge as incremental development takes place in preparation for an upcoming release. Any differences between the latest release and the main branch should only be considered previews of the next release.

As the adoption of Security Insights grows, so does the opportunity to automatically ingest it. For example, the Linux Foundation's [CLOMonitor](https://clomonitor.io/) parses a project's Security Insights file to determine whether projects have reported on select security factors prioritized by the foundation.

## Maintenance

The specification maintenance occurs in the following places:

- `specification/`: Contains markdown details for all specification values

- `schema.cue`: Contains the CUE schema that can be used to validate files against the specification

- `template-full.yml`: Contains a template that includes all possible fields

- `template-minimal.yml`: Contains a template that includes only the required fields

Discussion and feedback should take place in [GitHub Issues](https://github.com/ossf/security-insights/issues). 

Because this specification recieves light maintenance and infrequent updates, beginning in 2025 we ask that you follow the [Security Insights Enhancement Proposal](./docs/GOVERNANCE.md#security-insights-enhancement-proposals) process to explore potential changes to the specification.