This specification provides a mechanism for projects to report information about their security in a machine-processable way. It is formatted as a YAML file to make it easy to read and edit by humans.
Values that are included within the specification may be required or optional. Optional values are reccommendations from the Open Source Security Foundation's Identifying Security Threats Working Group, but may not be prudent for all use cases.
Example implementations can be found on the specification's GitHub repository.
A collection of unofficial supplemental tooling can be found in the "SI Tooling" GitHub Repository.
Maintenance for the specification is led by the OpenSSF Metrics & Metadata working group, and improvements are handled exclusively within the project's GitHub repository. Additional information about contribution can be found within the project's Contribution Policy.
Improvement suggestions and clarification requests can be logged as GitHub Issues, raised as discussion on Slack, or discussed with the community in the appropriate Working Group meeting from the OpenSSF Community Calendar.
This specification follows semantic versioning. Changes made to the schema on GitHub are considered to be draft changes until a formal release has been made in accordance with the project's versioning policy.
Any security-related issues related to the specification or maintenance thereof should follow the recommendations outlined in the project's security policy.
This specification subject to the Community Specification License 1.0 available at https://github.com/CommunitySpecification/1.0.
| Section | Required or Optional |
|---|---|
| Header | Required |
| Contribution Policy | Required |
| Dependencies | Optional |
| Distribution Points | Required |
| Documentation | Optional |
| Project Lifecycle | Required |
| Security Artifacts | Optional |
| Security Assessments | Optional |
| Security Contacts | Required |
| Security Testing | Optional |
| Vulnerability Reporting | Required |