Cybersecurity

OpenSSF Baseline Alignment in Open Source Repos: Autom... Will Sergeant, Kiran Chana & Kavoi Mutisya

OpenSSF
OpenSSFMay 30, 2026

Why It Matters

The study indicates many critical open‑source projects meet basic hygiene but exposes gaps in vulnerability disclosure and access controls that increase supply‑chain risk; the open, automated measurement approach provides a practical way for organizations to audit and prioritize security improvements.

Summary

Researchers from Harvard developed a mixed-methods approach—an open-source Python tool plus maintainer questionnaires—to measure OpenSSF Baseline maturity level 1 alignment across 21 Linux Foundation repositories mirrored on GitHub. Automated, unauthenticated scans and follow-up surveys found high overall compliance with level‑1 controls, particularly in legal, documentation and quality‑assurance categories. The weakest areas were access control and vulnerability‑management practices, though limited maintainer responses and some tooling blind spots (e.g., license file location) constrained visibility. The project produced a reproducible methodology and an open tool for scalable baseline assessment of open‑source projects.

Original Description

OpenSSF Baseline Alignment in Open Source Repos: Automation, Surveys, and the Visibility Gap - Will Sergeant, Kiran Chana & Kavoi Mutisya, Harvard
Project BaseJump is the result of months of Capstone Project effort from a team of three Cybersecurity Masters Degree Candidates at Harvard Extension School:
The project sought to develop a repeatable methodology for assessing Open Source Software repository alignment with the OpenSSF Baseline.
In this presentation we will go over our findings from the project. In addition, we have developed an application which seeks to automate much of the assessment process. This will be available on the OpenSSF GitHub.

Comments

Want to join the conversation?

Loading comments...