oss-policy-kit 6.0.0

Open source starter kit for adopting OSS security baselines via policy packs, templates, evidence, and remediation.

OSS Security Policy as Code Starter Kit

Pass/fail security policy gates for your repository - with explicit trust grading.
Composes zizmor, OSV-Scanner, Gitleaks, Scorecard, Semgrep, and your multi-platform CI/CD signals into one regulatory-aware decision.

This is the v6.0.0 release: 52 bundled profiles, 212 controls, and 17 CLI subcommands. Supply-chain trust uses GitHub Artifact Attestations and PyPI Trusted Publishing (not a SLSA Build L3 claim — see docs/supply-chain-verification.md).

Why use this

• One decision from many signals. Composes SARIF and JSON evidence from zizmor, OSV-Scanner, Gitleaks, Scorecard, Semgrep, and the bundled evaluators into a single gate result.
• Multi-platform CI/CD in one report. GitHub Actions, Azure Pipelines, AWS CodeBuild/CodePipeline, and GitLab CI signals are evaluated from a local clone plus optional evidence files.
• Regulatory-aware out of the box. EU CRA, NIST SSDF, OSPS, SLSA, S2C2F, and OWASP CI/CD Top 10 mappings ship as profiles and docs, without requiring Rego.
• Honest about limits. Each control is labelled deterministic, signal, or evidence-backed, so reviewers can see what was proven and what still needs platform evidence.

Quickstart

Python 3.12+ required.

python -m pip install oss-policy-kit
python -m oss_policy_kit init --target . --with-evidence --with-workflow
python -m oss_policy_kit evaluate --target .

You get evaluation-report.md and evaluation-report.json with pass/fail states, remediation text, waiver visibility, and trust grading per control. Optional SARIF output is available with --sarif-output.

Full first-time adopter tutorial: docs/tutorial-first-pr-gate.md. Existing compact quickstart: docs/quickstart-15-min.md.

Use as a GitHub Action

- uses: lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit@v5
  with:
    profile: github-level-1
    fail-on: fail

Inputs map 1:1 to CLI flags. See docs/github-action.md.

Sample output

Hardened example on the github-level-1 profile:

Vulnerable example, same profile:

Browse full sample reports: docs/sample-reports/. Report schema: docs/reports-contract-v1.0.md.

How it compares

Capability	OSS Policy Kit	Scorecard	zizmor / OSV / Gitleaks	Conftest / OPA	Kyverno
Multi-platform repository and CI/CD gate	Yes	GitHub-centric	Scanner-specific	Adopter writes	Kubernetes-focused
Built-in regulatory and framework profiles	Yes	No	No	No	Policy-dependent
Assurance grading per control	Yes	Score-based	No	No	Policy-dependent
Composes scanner SARIF / JSON	Yes	No	n/a	No	No
Waiver registry with owner, reason, expiry	Yes	No	No	Adopter writes	Policy-dependent
CycloneDX VEX emission	Yes	No	No	No	No
Local-first, no API key by default	Yes	Mostly	Yes	Yes	Yes

Full positioning, including what this kit is not: docs/positioning.md.

What this kit does

The kit reads a repository clone and optional evidence files, evaluates bundled profiles, and emits Markdown, JSON (reports/1.0 by default), and optional SARIF. v6.0.0 adds profiles and controls across AI/LLM advisory coverage, EU AI Act Article 11 + Annex IV readiness, EU CRA Article 13/14 signals, SLSA source checks (L1/L2), GitLab L2, OSS publish readiness, WORM publish-defense checks, AI agent source-side checks, OSPS Baseline 2026, MCP server security, and OWASP Agentic ASI.

It is not a universal vulnerability scanner, an OSPS certification engine, a compliance guarantee, or a substitute for threat modeling, secure code review, pentesting, or live platform settings review. See docs/results-guide.md.

CI/CD integration

Starter workflows under templates/workflows/:

• github-oss-policy-check.yml - baseline evaluate against github-level-1.
• github-oss-policy-check-with-waivers.yml - same baseline with waiver registry support.
• github-oss-policy-check-level-2.yml - stricter github-level-2.
• pipelines/azure/azure-pipelines.yml - Azure Pipelines example.

Typical CI command:

python -m oss_policy_kit evaluate --target . --profile github-level-1 --fail-on fail --output-dir ./oss-policy-reports

Exit codes: 0 success, 1 gate failed, 2 usage/load error, 3 unexpected internal error.

Outputs

Each evaluate run writes evaluation-report.md for humans, evaluation-report.json for automation, and evaluation-report.sarif when --sarif-output is passed. Detailed schemas live in docs/reports-contract-v1.0.md and docs/reports-contract-v2.0.md.

Supply chain verification

PyPI publication uses Trusted Publishing and the PyPA publishing action's registry attestations, while the release build also generates GitHub Artifact Attestations for wheel/sdist files. Container images are built from the checked-out release source tree, signed with cosign keyless, and attested with GitHub Artifact Attestations.

This branch does not claim SLSA Build L3. See docs/supply-chain-verification.md for exact verification commands and the current trust model.

Documentation

Topic	Doc
Documentation index	docs/README.md
At a glance	docs/at-a-glance.md
Release state	docs/release-state.md
Quickstart tutorial	docs/tutorial-first-pr-gate.md
CLI reference	docs/cli-reference.md
Results guide	docs/results-guide.md
Profiles overview	docs/profiles/overview.md
Framework alignment	docs/framework-alignment.md
Positioning vs alternatives	docs/positioning.md
EU CRA readiness	docs/cra-readiness.md
Architecture	docs/architecture.md
Release and supply chain	docs/release-readiness.md / docs/supply-chain-verification.md
Roadmap	ROADMAP.md
Changelog	CHANGELOG.md

Community and contributing

• CONTRIBUTING.md - how to propose changes.
• GOVERNANCE.md - maintainers, decision-making, and release process.
• SECURITY.md - vulnerability reporting.
• GitHub Discussions - Q&A, ideas, and show-and-tell.
• Issues - bugs, feature requests, and false positives.

License

Apache-2.0. See LICENSE and NOTICE.