One-command CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for kkotari from gravatar.com kkotari

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: OSSGuard Contributors
  • Tags openssf , security , supply-chain , scorecard , slsa , sbom , ossguard
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

OSSGuard

One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.

CI PyPI Docker License: Apache-2.0 Python 3.9+

OSSGuard implements OpenSSF best practices and is intended for future contribution to the OpenSSF community.

The Problem

The OpenSSF ecosystem has 30+ excellent tools, frameworks, and guides for securing open source software — Scorecard, Sigstore, SLSA, SBOM, CodeQL, Dependabot, and more.

But setting them all up manually takes hours. And once set up, there's no unified way to monitor dependency health, track compliance, or assess supply-chain risk.

OSSGuard solves this with 26 commands covering the full security lifecycle:

  1. Bootstrap — set up all OpenSSF security configurations in one command
  2. Analyze — audit security posture, dependencies, vulnerabilities, and compliance
  3. Remediate — auto-fix issues, generate reports, and enforce policies

Installation

PyPI (recommended)

pip install ossguard

# Or with pipx (isolated install)
pipx install ossguard

Standalone Binaries (no Python required)

Download pre-built binaries from GitHub Releases:

# macOS (Apple Silicon)
curl -L https://github.com/kirankotari/ossguard/releases/latest/download/ossguard-macos-arm64 -o ossguard
chmod +x ossguard && sudo mv ossguard /usr/local/bin/

# Linux (x86_64)
curl -L https://github.com/kirankotari/ossguard/releases/latest/download/ossguard-linux-amd64 -o ossguard
chmod +x ossguard && sudo mv ossguard /usr/local/bin/

Homebrew

brew install kirankotari/tap/ossguard

Docker

# Scan current directory
docker run --rm -v "$(pwd):/project" ghcr.io/kirankotari/ossguard scan

# Bootstrap OpenSSF configs
docker run --rm -v "$(pwd):/project" ghcr.io/kirankotari/ossguard init

# Any command works
docker run --rm -v "$(pwd):/project" ghcr.io/kirankotari/ossguard audit

Quick Start

# Bootstrap your project with all OpenSSF best practices
cd your-project
ossguard init

# Scan your project to see what's missing
ossguard scan

# Run a full security audit
ossguard audit

# Check OSPS Baseline compliance
ossguard baseline

Commands

Core

Command Description
ossguard init Bootstrap OpenSSF security configs (SECURITY.md, Scorecard, Dependabot, CodeQL, SBOM, Sigstore, branch protection)
ossguard scan Read-only security posture scan
ossguard version Show version

Dependency Analysis

Command Description
ossguard deps Dependency health analysis — vulns (OSV), outdated packages, risk scores (deps.dev)
ossguard drift SBOM diff between releases — detect added, removed, and changed dependencies
ossguard watch Continuous vulnerability monitoring from an SBOM (post-deployment watch)
ossguard tpn Generate third-party notices from project dependencies

Security Analysis

Command Description
ossguard audit Comprehensive security audit (scan + deps + reachability combined)
ossguard reach Filter vulnerabilities by runtime reachability (static import analysis)
ossguard secrets Scan for leaked credentials and secrets (24 detection rules)

Compliance & Frameworks

Command Description
ossguard baseline Check against OSPS Security Baseline (34 controls, Levels 1-3)
ossguard badge Assess readiness for the OpenSSF Best Practices Badge
ossguard slsa Assess SLSA Build Level (Levels 1-4, 12 requirements)
ossguard maturity S2C2F supply chain maturity assessment (22 practices, Levels 1-4)
ossguard license Dependency license compliance and conflict detection
ossguard policy Org-wide security policy enforcement (JSON config)

Supply Chain

Command Description
ossguard supply-chain Malicious package detection + typosquatting analysis
ossguard pin Pin GitHub Actions to commit SHAs (resolve tags to full SHAs)
ossguard update Security-prioritized dependency update suggestions

Generation

Command Description
ossguard insights Generate or validate SECURITY-INSIGHTS.yml
ossguard sbom-gen Generate local SBOM (SPDX 2.3 or CycloneDX 1.5)
ossguard ci Generate unified CI security pipeline (GitHub Actions)
ossguard report Export HTML or JSON compliance report
ossguard fuzz Fuzzing readiness check + starter harness generation (7 languages)

Container & Comparison

Command Description
ossguard container Dockerfile security linting (12 rules)
ossguard compare Side-by-side security posture comparison of two projects
ossguard fix Auto-remediate common security issues

Auto-Detection

OSSGuard automatically detects:

  • Languages: Python, JavaScript/TypeScript, Go, Rust, Java, C/C++, Ruby, PHP, C#
  • Package Managers: npm, yarn, pnpm, pip, poetry, cargo, go modules, maven, gradle
  • Frameworks: React, Vue, Angular, Next.js, Django, Flask, FastAPI, Express
  • Existing Security Setup: Won't overwrite existing configurations

What ossguard init Generates

File Purpose OpenSSF Reference
SECURITY.md Vulnerability disclosure policy CVD Guide
.github/workflows/scorecard.yml Automated security scoring Scorecard
.github/dependabot.yml Dependency update automation Best Practices
.github/workflows/codeql.yml Code scanning for vulnerabilities Security Tooling WG
.github/workflows/sbom.yml Software Bill of Materials generation SBOM Everywhere
.github/workflows/sigstore.yml Cryptographic signing of releases Sigstore
.github/BRANCH_PROTECTION.md Branch protection setup guide SCM Best Practices

How It Relates to OpenSSF

OSSGuard is not a replacement for any OpenSSF project. It's a unifier — it makes it trivially easy to adopt the best practices and tools that OpenSSF working groups have built:

  • Best Practices WG — SECURITY.md template, Best Practices Badge assessment
  • Security Tooling WG — CodeQL setup, SBOM generation, secret scanning
  • Supply Chain Integrity WG — Sigstore signing, SLSA assessment, S2C2F maturity
  • Vulnerability Disclosures WG — CVD-compliant SECURITY.md
  • Securing Software Repos WG — Dependabot, branch protection, GitHub Actions pinning
  • OSPS Baseline — Automated compliance checking across maturity levels

Development

# Clone and install
git clone https://github.com/kirankotari/ossguard.git
cd ossguard
pip install -e ".[dev]"

# Run tests
pytest

# Lint
ruff check src/ tests/

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

License

Apache-2.0 — see LICENSE for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for kkotari from gravatar.com kkotari

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: OSSGuard Contributors
  • Tags openssf , security , supply-chain , scorecard , slsa , sbom , ossguard
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ossguard-0.1.1.tar.gz (99.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ossguard-0.1.1-py3-none-any.whl (104.0 kB view details)

Uploaded Python 3

File details

Details for the file ossguard-0.1.1.tar.gz.

File metadata

  • Download URL: ossguard-0.1.1.tar.gz
  • Upload date:
  • Size: 99.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ossguard-0.1.1.tar.gz
Algorithm Hash digest
SHA256 c670180e83547de346a797f38b0364781683f9d3e72005442247bd54d6899b21
MD5 09c2fb264994cfee6f38655a62424dce
BLAKE2b-256 153b529eac15c534b42677da23a52e9f60ba19a6d5785c5673a09ac8a3f58502

See more details on using hashes here.

Provenance

The following attestation bundles were made for ossguard-0.1.1.tar.gz:

Publisher: release.yml on kirankotari/ossguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ossguard-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: ossguard-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 104.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ossguard-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 c96c16ed4bef69c1b4f281b02e6371af5f8d4bea1c01950e17a7b79205d1693c
MD5 6f2d5d4689c925772c78281574a2eb53
BLAKE2b-256 06b8890ee04b421814a2d5e131bd1bfed093cfca51d39754f28dee3d92617f0a

See more details on using hashes here.

Provenance

The following attestation bundles were made for ossguard-0.1.1-py3-none-any.whl:

Publisher: release.yml on kirankotari/ossguard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page