Skip to main content

Open source starter kit for adopting OSS security baselines via policy packs, templates, evidence, and remediation.

Project description

OSS Security Policy as Code Starter Kit

Pass/fail security policy gates for OSS repositories, with explicit assurance grading and framework mappings.

CI Security CI PyPI Python License

At a Glance

oss-policy-kit evaluates a local repository clone plus optional evidence files, then emits Markdown, JSON, and optional SARIF reports for humans and CI gates.

Current release Bundled profiles Controls CLI commands Python
v7.2.0 56 212 19 3.12+

Use it when you need a local-first gate that combines repository governance, CI/CD hardening, release posture, scanner evidence, waivers, and framework-oriented reporting. It is not a vulnerability scanner, certification engine, or legal compliance guarantee.

Quickstart

python -m pip install oss-policy-kit
python -m oss_policy_kit init --target . --with-evidence --with-workflow
python -m oss_policy_kit evaluate --target . --profile github-level-1 --fail-on fail

The evaluation writes:

  • evaluation-report.md for review.
  • evaluation-report.json for automation.
  • evaluation-report.sarif when --sarif-output is set.

First-time tutorial: docs/tutorial-first-pr-gate.md. Compact CLI reference: docs/quickstart-15-min.md.

What It Does

  • Evaluates bundled policy profiles against a repository clone.
  • Uses optional evidence under .oss-policy-kit/evidence/ for platform-only facts.
  • Composes signals from local files, workflows, SARIF/JSON scanner outputs, waivers, and release evidence.
  • Labels controls by assurance type: deterministic, signal, or evidence-backed.
  • Supports Markdown, JSON report contracts, and optional SARIF for code-scanning workflows.
  • Keeps waivers visible with owner, reason, and expiry metadata.

What It Does Not Do

  • It does not certify CRA, SLSA, OSPS, SSDF, or AI Act compliance.
  • It does not replace SAST, SCA, secrets scanning, threat modeling, secure code review, pentesting, or live platform review.
  • It does not prove branch protection, rulesets, MFA, cloud posture, or registry settings unless you provide API-backed evidence.
  • It does not claim SLSA Build L3. The current trust model is documented in docs/supply-chain-verification.md.

Core Capabilities

Area Included
Repository governance LICENSE, SECURITY, CONTRIBUTING, CODEOWNERS, branch protection evidence, release hygiene
CI/CD posture GitHub Actions, Azure Pipelines, AWS CodeBuild/CodePipeline, GitLab CI signals
Release hardening OIDC publishing, provenance evidence, artifact verification, source-built container flow
Scanner composition SARIF/JSON ingestion for tools such as zizmor, OSV-Scanner, Gitleaks, Scorecard, and Semgrep
Framework mapping OSPS, NIST SSDF, SLSA, S2C2F, OWASP CI/CD, EU CRA, EU AI Act readiness signals
AI and agent security AI agent source-side checks, MCP server security, OWASP Agentic ASI mapping
Exception handling Waiver registry with reason, owner, scope, and expiry

Profiles

List bundled profiles:

python -m oss_policy_kit profiles

Common starting points:

Profile Use when
github-level-1 First GitHub repository gate
github-level-2 Stricter GitHub governance and CI/CD posture
oss-publish-readiness-1 Release/publish readiness for OSS packages
appsec-sast-sca-1 Compose SAST/SCA/secrets scanner evidence
osps-baseline-2026-1 OpenSSF OSPS Baseline 2026-oriented review
cra-eu-ready-2-1 EU CRA Article 13/14 readiness signals
ai-agent-baseline-1 Source-side checks for AI agent repositories
appsec-mcp-server-1 MCP server security readiness

Full profile guide: docs/profiles/overview.md.

GitHub Action

- uses: lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit@v7.0.1
  with:
    profile: github-level-1
    fail-on: fail

Action reference: docs/github-action.md. Starter workflows live under templates/workflows/.

Reports and Contracts

By default, evaluate writes reports/2.0 JSON (the default flipped from reports/1.0 in v7.0.0 — ADR-027). reports/1.0 stays selectable via --report-json-contract=1.0 for one minor cycle, then deprecates. Contracts and migration:

Exit codes:

Code Meaning
0 Success; configured fail threshold was not violated
1 Evaluation completed and the fail threshold was violated
2 Usage, validation, or load error
3 Unexpected internal error

Supply Chain Verification

PyPI publication uses Trusted Publishing and registry attestations. Release artifacts also use GitHub Artifact Attestations. Container images are built from the checked-out release source tree, signed with cosign keyless, and attested.

Verification commands and limits are in docs/supply-chain-verification.md.

Documentation Map

Topic Link
Documentation index docs/README.md
Architecture docs/architecture.md
CLI reference docs/cli-reference.md
Results guide docs/results-guide.md
Framework alignment docs/framework-alignment.md
Positioning and limits docs/positioning.md
EU CRA readiness docs/cra-readiness.md
EU AI Act readiness docs/eu-ai-act-readiness.md
MCP server security docs/mcp-server-security.md
Release readiness docs/release-readiness.md
Changelog CHANGELOG.md

Repository Layout

Path Purpose
src/oss_policy_kit/ Python package, CLI, evaluators, parsers, reporting
src/oss_policy_kit/data/ Bundled controls, profiles, and schemas
templates/ Starter workflows, waivers, docs, and ruleset examples
examples/ Hardened and vulnerable example repositories
tests/ Unit, application, integration, infrastructure, and property tests
docs/ User docs, architecture, mappings, ADRs, and release notes

Contributing and Security

License

Apache-2.0. See LICENSE and NOTICE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

oss_policy_kit-7.2.0.tar.gz (368.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

oss_policy_kit-7.2.0-py3-none-any.whl (495.1 kB view details)

Uploaded Python 3

File details

Details for the file oss_policy_kit-7.2.0.tar.gz.

File metadata

  • Download URL: oss_policy_kit-7.2.0.tar.gz
  • Upload date:
  • Size: 368.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for oss_policy_kit-7.2.0.tar.gz
Algorithm Hash digest
SHA256 cfcd41d99e55bd075916f49dbfd8090fa99c28dc0c27ce8093d476dae01749de
MD5 7fd9e7f1c059d5cf30e5cc5f44ef937b
BLAKE2b-256 bb3896d4906657078937fa85e1ad80507b216c35c5c863e2a2bc13ab420d44c6

See more details on using hashes here.

Provenance

The following attestation bundles were made for oss_policy_kit-7.2.0.tar.gz:

Publisher: publish-pypi.yml on lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file oss_policy_kit-7.2.0-py3-none-any.whl.

File metadata

  • Download URL: oss_policy_kit-7.2.0-py3-none-any.whl
  • Upload date:
  • Size: 495.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for oss_policy_kit-7.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2b6b31c187bf185fe3b5183efcbea6f760f23bc6286362636433ab593ede7f3b
MD5 52881552686dbdcf697a337563ee7226
BLAKE2b-256 0968f81b946de4932f6defc52e6e99b8b64ae9cd76d8cc7a12706487e35b9aa5

See more details on using hashes here.

Provenance

The following attestation bundles were made for oss_policy_kit-7.2.0-py3-none-any.whl:

Publisher: publish-pypi.yml on lucashgrifoni/OSS-Security-Policy-as-Code-Starter-Kit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page