OpenSSF

aid: openssf
name: OpenSSF
description: >-
  The Open Source Security Foundation (OpenSSF) is a collaborative initiative
  under the Linux Foundation dedicated to improving the security of open
  source software. It brings together industry leaders, developers, and
  security experts to address vulnerabilities, enhance supply chain
  security, and develop security tools and best practices. OpenSSF stewards
  a number of projects with public REST APIs, including the OSV (Open
  Source Vulnerabilities) database, the Scorecard automated security
  health-check service, and Sigstore signing infrastructure.
type: Index
position: Consumer
access: 3rd-Party
image: https://kinlane-productions2.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
  - Linux Foundation
  - Open Source
  - Security
  - Supply Chain
  - Vulnerabilities
created: '2026-03-16'
modified: '2026-04-28'
url: >-
  https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/apis.yml
specificationVersion: '0.19'
apis:
  - aid: openssf:osv-api
    name: OSV (Open Source Vulnerabilities) API
    description: >-
      OSV is an OpenSSF-hosted distributed vulnerability database and
      query infrastructure. The OSV API at api.osv.dev exposes
      vulnerability records keyed to specific package versions or commits
      across multiple ecosystems including npm, PyPI, Maven, Go, NuGet,
      RubyGems, Cargo, Packagist, Hex, OSS-Fuzz, Linux, Android, and
      GitHub Actions.
    humanURL: https://osv.dev/
    baseURL: https://api.osv.dev
    tags:
      - Vulnerabilities
      - Supply Chain
      - Database
      - Open Source
    properties:
      - type: Documentation
        url: https://google.github.io/osv.dev/api/
      - type: Documentation
        url: https://osv.dev/
      - type: GitHubRepository
        url: https://github.com/google/osv.dev
      - type: GitHubRepository
        url: https://github.com/ossf/osv-schema
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/openapi/openssf-osv-openapi.yml
      - type: JSONSchema
        url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/json-schema/openssf-osv-vulnerability-schema.json
      - type: JSONLDContext
        url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/json-ld/openssf-context.jsonld
  - aid: openssf:scorecard-api
    name: OpenSSF Scorecard API
    description: >-
      The OpenSSF Scorecard API returns automated security health metrics
      for public open source repositories. Scorecard runs a series of
      checks (e.g., Branch-Protection, Code-Review, Pinned-Dependencies,
      Signed-Releases, Token-Permissions, Vulnerabilities) and exposes
      per-check scores plus an aggregate 0-10 score via api.securityscorecards.dev.
    humanURL: https://scorecard.dev/
    baseURL: https://api.securityscorecards.dev
    tags:
      - Security Health
      - Repositories
      - Supply Chain
    properties:
      - type: Documentation
        url: https://github.com/ossf/scorecard
      - type: Documentation
        url: https://scorecard.dev/
      - type: OpenAPI
        url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/openapi/openssf-scorecard-openapi.yml
      - type: JSONLDContext
        url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/json-ld/openssf-context.jsonld
  - aid: openssf:sigstore-api
    name: Sigstore Public Good APIs
    description: >-
      Sigstore is an OpenSSF-hosted standard and service for signing,
      verifying, and protecting software. The public-good Sigstore
      instance exposes Fulcio (code-signing certificate authority) and
      Rekor (transparency log) APIs that can be queried programmatically
      to inspect signing certificates and transparency log entries.
    humanURL: https://www.sigstore.dev/
    baseURL: https://rekor.sigstore.dev
    tags:
      - Signing
      - Transparency Log
      - Supply Chain
    properties:
      - type: Documentation
        url: https://docs.sigstore.dev/
      - type: Documentation
        url: https://docs.sigstore.dev/logging/overview/
      - type: GitHubOrganization
        url: https://github.com/sigstore
  - aid: openssf:guac-api
    name: GUAC (Graph for Understanding Artifact Composition)
    description: >-
      GUAC aggregates software supply-chain security metadata (SBOMs,
      attestations, vulnerabilities, signatures) into a queryable graph.
      GUAC exposes a GraphQL API for supply-chain queries when self-hosted.
    humanURL: https://guac.sh/
    baseURL: https://guac.sh
    tags:
      - SBOM
      - Supply Chain
      - GraphQL
    properties:
      - type: Documentation
        url: https://docs.guac.sh/
      - type: GitHubRepository
        url: https://github.com/guacsec/guac
common:
  - type: Website
    name: OpenSSF
    url: https://openssf.org/
  - type: Documentation
    name: OpenSSF Documentation
    url: https://openssf.org/resources/
  - type: Portal
    name: Projects Directory
    url: https://openssf.org/projects/
  - type: Blog
    name: OpenSSF Blog
    url: https://openssf.org/blog/
  - type: GitHubOrganization
    name: OpenSSF GitHub
    url: https://github.com/ossf
  - type: GitHubRepository
    name: OSV Schema
    url: https://github.com/ossf/osv-schema
  - type: GitHubRepository
    name: Scorecard
    url: https://github.com/ossf/scorecard
  - type: GitHubOrganization
    name: Sigstore GitHub
    url: https://github.com/sigstore
  - type: License
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
  - type: Community
    name: OpenSSF Community
    url: https://openssf.org/community/
  - type: Slack
    name: OpenSSF Slack
    url: https://slack.openssf.org/
maintainers:
  - FN: Kin Lane
    email: [email protected]