The Open Source Security Foundation (OpenSSF) has launched the Open Source Project Security Baseline (OSPS Baseline), a tiered framework designed to standardize security practices for Linux and other open-source projects.
This initiative, aligned with global cybersecurity regulations like the EU Cyber Resilience Act (CRA) and NIST Secure Software Development Framework (SSDF), provides actionable controls to mitigate risks in software supply chains.
The OSPS Baseline categorizes requirements into three maturity levels: Level 1 for nascent projects, Level 2 for established codebases with multiple maintainers, and Level 3 for widely adopted projects.
Each tier introduces granular controls across five domains: Access Control, Build & Release, Documentation, Quality, and Legal.
Key technical mandates include:
- Enforcing multi-factor authentication (MFA) for repository collaborators handling sensitive data.
- Requiring unique version identifiers (e.g., SemVer, CalVer) for releases to track security patches.
- Maintaining immutable, publicly auditable version control logs detailing changes and contributors.
- Configuring CI/CD pipelines with least-privilege access to prevent privilege escalation via untrusted inputs.
“By establishing a tiered framework that evolves with project maturity, OSPS Baseline empowers maintainers and contributors to adopt security best practices that are scalable and sustainable,” Christopher Robinson, OpenSSF Chief Security Architect
Adoption by Major Linux Ecosystem Projects
Early adopters include dependency management tools like GUAC and bomctl, which implemented OSPS-VM-04.01’s vulnerability reporting workflows.
OpenTelemetry adopted OSPS-BR-05.01’s build pipeline hardening, while OpenVEX integrated automated SBOM generation per OSPS-QA-02.01.
“We’ve gotten helpful feedback from projects involved in the pilot rollout, including adoption commitments from GUAC, OpenVEX, bomctl, and Open Telemetry,” said Stacey Potter, Independent Open Source Community Manager, after helping lead the OSPS Baseline pilot efforts.
“Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress.”
“The OSPS Baseline release is an important step toward efficiently addressing the security and resilience of open source projects”, Eddie Knight, Open Source Program Office Lead at Sonatype and OSPS Baseline Project Lead.
“Open source stewards, manufacturers who rely on open source, and end users will all benefit long-term as this community-defined criteria shines light on project security best practices.”
Notably, Cloud Native Computing Foundation (CNCF) plans to integrate OSPS checks into its SLSA-based audit tools.
Developers can access the OSPS Baseline specification at baseline.openssf.org and contribute via the #sig-security-baseline OpenSSF Slack channel.
Upcoming enhancements include Ansible playbooks for automated implementation and SPDX 3.0 profile alignment.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free