This application performs automated assessments against GitHub repositories using controls defined in the Open Source Project Security Baseline v2025.02.25. The application consumes the OSPS Baseline controls using Gemara layer 2 and produces results of the automated assessments using layer 4.
Many of the assessments depend upon the presence of a Security Insights file at the root of the repository, or ./github/security-insights.yml.
Currently 39 control requirements across OSPS Baselines levels 1-3 are covered, with 13 not yet implemented. Maturity Level 1 requirements are the most rigorously tested and are recommended for use. The results of these layer 1 assessments are integrated into LFX Insights, powering the Security & Best Practices results.
Level 2 and Level 3 requirements are undergoing current development and may be less rigorously tested.
# build the image
docker build . -t local
docker run \
--mount type=bind,source=./config.yml,destination=/.privateer/config.yml \
--mount type=bind,source=./evaluation_results,destination=/.privateer/bin/evaluation_results \
localWe've pushed an image to docker hub for use in GitHub Actions.
You will also need to set up a GitHub personal access token with the repository read permissions. This token should be added to your config file, or — if using the example pipeline below — as a secret in your repository.
Contributions are welcome! Please see our Contributing Guidelines for more information.
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.