This application performs automated assessments against GitHub repositories using controls defined in the Open Source Project Security Baseline v2025.02.25. The application consumes the OSPS Baseline controls using Gemara layer 2 and produces results of the automated assessments using layer 4.
Many of the assessments depend upon the presence of a Security Insights file at the root of the repository, or ./github/security-insights.yml.
Currently 39 control requirements across OSPS Baselines levels 1-3 are covered, with 13 not yet implemented. Maturity Level 1 requirements are the most rigorously tested and are recommended for use. The results of these layer 1 assessments are integrated into LFX Insights, powering the Security & Best Practices results.
Level 2 and Level 3 requirements are undergoing current development and may be less rigorously tested.
To run the GitHub scanner locally, you will need the Privateer (pvtr) framework and the GitHub repository scanner (pvtr-github-repo-scanner) plugin.
- Install pvtr using one of the methods described here.
- Next, download the
pvtr-github-repo-scannerplugin from the releases.
The following command is an example where the pvtr, the pvtr-github-repo-scanner, and the config.yaml are in the same directory.
./pvtr run --binaries-path .If the binaries and the config files are in different directories specify the complete path using --binaries-path and --config flags.
You may have to adjust the plugin name in the config.yaml file to match them.
# build the image
docker build . -t local
docker run \
-v ./config.yml:/.privateer/config.yml \
-v ./evaluation_results:/.privateer/bin/evaluation_results \
localSee the OSPS Security Baseline Scanner
Contributions are welcome! Please see our Contributing Guidelines for more information.
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
