Minder: Policy-Based Control of Software Security | OpenSSF Project Spotlight
Minder, an OpenSSF initiative, provides continuous policy enforcement for software supply chains, monitoring repositories, releases and pull requests to maintain security compliance with minimal friction. The service defines policies, uses webhooks to detect drift, and automatically remediates violations via patches, comments or API calls, emphasizing live fixing over mere detection. Examples include auto‑restoring branch‑protection rules and generating pull requests to enable Dependabot or install SCA tools like CodeQL, ensuring consistent tool usage across an organization. By automating remediation, Minder reduces manual oversight, accelerates compliance, and can be self‑hosted via Helm or accessed as a free managed service, strengthening supply‑chain resilience for both enterprises and open‑source projects.
Gemara: GRC Engineering Model for Automated Risk Assessment | OpenSSF Project Spotlight
Jamara, the GRC Engineering Model for Automated Risk Assessment, is an OpenSSF‑hosted open‑source project that defines a multi‑layer logical model for integrating governance, risk, and compliance (GRC) directly into software engineering pipelines. Its purpose is to replace fragmented, tool‑specific data...
Best Practices Badge for Free/Libre and Open Source Software | OpenSSF Project Spotlight
David Wheeler, director of open‑source supply‑chain security at the OpenSSF, introduced the OpenSSF Best Practices Badge – a three‑tier (passing, silver, gold) certification that evaluates open‑source projects against a curated set of security‑focused criteria drawn from well‑run repositories. The badge...
Minder: Policy-Based Control of Software Security | OpenSSF Project Spotlight
OpenSSF’s sandbox project Minder provides policy‑based security automation across the software development lifecycle. It lets open‑source communities, enterprises, and individual developers define policies that continuously monitor repositories, dependencies, CI/CD pipelines, and container builds. By integrating with OSV and other vulnerability...