Skip to main content

Open source starter kit for adopting OSS security baselines via policy packs, templates, evidence, and remediation.

Project description

OSS Security Policy as Code Starter Kit

Pass/fail security policy gates for OSS repositories, with explicit assurance grading and framework mappings.

CI Security CI PyPI Python License

At a Glance

oss-policy-kit evaluates a local repository clone plus optional evidence files, then emits Markdown, JSON, and optional SARIF reports for humans and CI gates.

Current release Bundled profiles Controls CLI commands Python
v7.0.0 56 212 17 3.12+

Use it when you need a local-first gate that combines repository governance, CI/CD hardening, release posture, scanner evidence, waivers, and framework-oriented reporting. It is not a vulnerability scanner, certification engine, or legal compliance guarantee.

Quickstart

python -m pip install oss-policy-kit
python -m oss_policy_kit init --target . --with-evidence --with-workflow
python -m oss_policy_kit evaluate --target . --profile github-level-1 --fail-on fail

The evaluation writes:

  • evaluation-report.md for review.
  • evaluation-report.json for automation.
  • evaluation-report.sarif when --sarif-output is set.

First-time tutorial: docs/tutorial-first-pr-gate.md. Compact CLI reference: docs/quickstart-15-min.md.

What It Does

  • Evaluates bundled policy profiles against a repository clone.
  • Uses optional evidence under .oss-policy-kit/evidence/ for platform-only facts.
  • Composes signals from local files, workflows, SARIF/JSON scanner outputs, waivers, and release evidence.
  • Labels controls by assurance type: deterministic, signal, or evidence-backed.
  • Supports Markdown, JSON report contracts, and optional SARIF for code-scanning workflows.
  • Keeps waivers visible with owner, reason, and expiry metadata.

What It Does Not Do

  • It does not certify CRA, SLSA, OSPS, SSDF, or AI Act compliance.
  • It does not replace SAST, SCA, secrets scanning, threat modeling, secure code review, pentesting, or live platform review.
  • It does not prove branch protection, rulesets, MFA, cloud posture, or registry settings unless you provide API-backed evidence.
  • It does not claim SLSA Build L3. The current trust model is documented in docs/supply-chain-verification.md.

Core Capabilities

Area Included
Repository governance LICENSE, SECURITY, CONTRIBUTING, CODEOWNERS, branch protection evidence, release hygiene
CI/CD posture GitHub Actions, Azure Pipelines, AWS CodeBuild/CodePipeline, GitLab CI signals
Release hardening OIDC publishing, provenance evidence, artifact verification, source-built container flow
Scanner composition SARIF/JSON ingestion for tools such as zizmor, OSV-Scanner, Gitleaks, Scorecard, and Semgrep
Framework mapping OSPS, NIST SSDF, SLSA, S2C2F, OWASP CI/CD, EU CRA, EU AI Act readiness signals
AI and agent security AI agent source-side checks, MCP server security, OWASP Agentic ASI mapping
Exception handling Waiver registry with reason, owner, scope, and expiry

Profiles

List bundled profiles:

python -m oss_policy_kit profiles

Common starting points:

Profile Use when
github-level-1 First GitHub repository gate
github-level-2 Stricter GitHub governance and CI/CD posture
oss-publish-readiness-1 Release/publish readiness for OSS packages
appsec-sast-sca-1 Compose SAST/SCA/secrets scanner evidence
osps-baseline-2026-1 OpenSSF OSPS Baseline 2026-oriented review
cra-eu-ready-2-1 EU CRA Article 13/14 readiness signals
ai-agent-baseline-1 Source-side checks for AI agent repositories
appsec-mcp-server-1 MCP server security readiness

Full profile guide: docs/profiles/overview.md.

GitHub Action

- uses: lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit@v6.4.0
  with:
    profile: github-level-1
    fail-on: fail

Action reference: docs/github-action.md. Starter workflows live under templates/workflows/.

Reports and Contracts

By default, evaluate writes reports/2.0 JSON (the default flipped from reports/1.0 in v7.0.0 — ADR-027). reports/1.0 stays selectable via --report-json-contract=1.0 for one minor cycle, then deprecates. Contracts and migration:

Exit codes:

Code Meaning
0 Success; configured fail threshold was not violated
1 Evaluation completed and the fail threshold was violated
2 Usage, validation, or load error
3 Unexpected internal error

Supply Chain Verification

PyPI publication uses Trusted Publishing and registry attestations. Release artifacts also use GitHub Artifact Attestations. Container images are built from the checked-out release source tree, signed with cosign keyless, and attested.

Verification commands and limits are in docs/supply-chain-verification.md.

Documentation Map

Topic Link
Documentation index docs/README.md
Architecture docs/architecture.md
CLI reference docs/cli-reference.md
Results guide docs/results-guide.md
Framework alignment docs/framework-alignment.md
Positioning and limits docs/positioning.md
EU CRA readiness docs/cra-readiness.md
EU AI Act readiness docs/eu-ai-act-readiness.md
MCP server security docs/mcp-server-security.md
Release readiness docs/release-readiness.md
Changelog CHANGELOG.md

Repository Layout

Path Purpose
src/oss_policy_kit/ Python package, CLI, evaluators, parsers, reporting
src/oss_policy_kit/data/ Bundled controls, profiles, and schemas
templates/ Starter workflows, waivers, docs, and ruleset examples
examples/ Hardened and vulnerable example repositories
tests/ Unit, application, integration, infrastructure, and property tests
docs/ User docs, architecture, mappings, ADRs, and release notes

Contributing and Security

License

Apache-2.0. See LICENSE and NOTICE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

oss_policy_kit-7.0.0.tar.gz (355.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

oss_policy_kit-7.0.0-py3-none-any.whl (483.2 kB view details)

Uploaded Python 3

File details

Details for the file oss_policy_kit-7.0.0.tar.gz.

File metadata

  • Download URL: oss_policy_kit-7.0.0.tar.gz
  • Upload date:
  • Size: 355.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for oss_policy_kit-7.0.0.tar.gz
Algorithm Hash digest
SHA256 483ffd5481b944063a09e87507b92564d9ccd55ca9cbdb7a13952061bb806ecd
MD5 0014311504e1158c4699a45ad816e62b
BLAKE2b-256 e9432ba453d1e014a40778a547b388db5310c8ac91fb47414e2ffc85a1ba5e2e

See more details on using hashes here.

Provenance

The following attestation bundles were made for oss_policy_kit-7.0.0.tar.gz:

Publisher: publish-pypi.yml on lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file oss_policy_kit-7.0.0-py3-none-any.whl.

File metadata

  • Download URL: oss_policy_kit-7.0.0-py3-none-any.whl
  • Upload date:
  • Size: 483.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for oss_policy_kit-7.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 947448df6bd3c741c04ff7ccc6d25b69cfd4addb7ad37fe8df2bc740b27bc1a6
MD5 a667210b74668641bd22291b19ce293c
BLAKE2b-256 5198dd1bb6bb5c0869a1b5607d6ae3c109294725a66b9b4d6630c45da989d07d

See more details on using hashes here.

Provenance

The following attestation bundles were made for oss_policy_kit-7.0.0-py3-none-any.whl:

Publisher: publish-pypi.yml on lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page