OpenSSF logo

OpenSSF

The Open Source Security Foundation (OpenSSF) is a collaborative initiative under the Linux Foundation dedicated to improving the security of open source software. It brings together industry leaders, developers, and security experts to address vulnerabilities, enhance supply chain security, and develop security tools and best practices. OpenSSF stewards a number of projects with public REST APIs, including the OSV (Open Source Vulnerabilities) database, the Scorecard automated security health-check service, and Sigstore signing infrastructure.

4 APIs 0 Features
Linux FoundationOpen SourceSecuritySupply ChainVulnerabilities

APIs

OSV (Open Source Vulnerabilities) API

OSV is an OpenSSF-hosted distributed vulnerability database and query infrastructure. The OSV API at api.osv.dev exposes vulnerability records keyed to specific package versions...

OpenSSF Scorecard API

The OpenSSF Scorecard API returns automated security health metrics for public open source repositories. Scorecard runs a series of checks (e.g., Branch-Protection, Code-Review,...

Sigstore Public Good APIs

Sigstore is an OpenSSF-hosted standard and service for signing, verifying, and protecting software. The public-good Sigstore instance exposes Fulcio (code-signing certificate au...

GUAC (Graph for Understanding Artifact Composition)

GUAC aggregates software supply-chain security metadata (SBOMs, attestations, vulnerabilities, signatures) into a queryable graph. GUAC exposes a GraphQL API for supply-chain qu...

Semantic Vocabularies

Openssf Context

7 classes · 0 properties

JSON-LD

Resources

🔗
LinkedIn
LinkedIn
🔗
Website
Website
🔗
Documentation
Documentation
🌐
Portal
Portal
📰
Blog
Blog
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
👥
GitHubOrganization
GitHubOrganization
🔗
License
License
🔗
Community
Community
🔗
Slack
Slack

Sources

Raw ↑ 
aid: openssf
name: OpenSSF
description: >-
  The Open Source Security Foundation (OpenSSF) is a collaborative initiative under the Linux Foundation dedicated to
  improving the security of open source software. It brings together industry leaders, developers, and security experts
  to address vulnerabilities, enhance supply chain security, and develop security tools and best practices. OpenSSF
  stewards a number of projects with public REST APIs, including the OSV (Open Source Vulnerabilities) database, the
  Scorecard automated security health-check service, and Sigstore signing infrastructure.
type: Index
position: Consumer
access: 3rd-Party
image: https://kinlane-images.s3.amazonaws.com/shared/apis-json/apis-json-logo.jpg
tags:
- Linux Foundation
- Open Source
- Security
- Supply Chain
- Vulnerabilities
created: '2026-03-16'
modified: '2026-05-19'
url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/apis.yml
specificationVersion: '0.19'
apis:
- aid: openssf:osv-api
  name: OSV (Open Source Vulnerabilities) API
  description: >-
    OSV is an OpenSSF-hosted distributed vulnerability database and query infrastructure. The OSV API at api.osv.dev
    exposes vulnerability records keyed to specific package versions or commits across multiple ecosystems including
    npm, PyPI, Maven, Go, NuGet, RubyGems, Cargo, Packagist, Hex, OSS-Fuzz, Linux, Android, and GitHub Actions.
  humanURL: https://osv.dev/
  baseURL: https://api.osv.dev
  tags:
  - Vulnerabilities
  - Supply Chain
  - Database
  - Open Source
  properties:
  - type: Documentation
    url: https://google.github.io/osv.dev/api/
  - type: Documentation
    url: https://osv.dev/
  - type: GitHubRepository
    url: https://github.com/google/osv.dev
  - type: GitHubRepository
    url: https://github.com/ossf/osv-schema
  - type: OpenAPI
    url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/openapi/openssf-osv-openapi.yml
  - type: JSONSchema
    url: >-
      https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/json-schema/openssf-osv-vulnerability-schema.json
  - type: JSONLDContext
    url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/json-ld/openssf-context.jsonld
- aid: openssf:scorecard-api
  name: OpenSSF Scorecard API
  description: >-
    The OpenSSF Scorecard API returns automated security health metrics for public open source repositories. Scorecard
    runs a series of checks (e.g., Branch-Protection, Code-Review, Pinned-Dependencies, Signed-Releases,
    Token-Permissions, Vulnerabilities) and exposes per-check scores plus an aggregate 0-10 score via
    api.securityscorecards.dev.
  humanURL: https://scorecard.dev/
  baseURL: https://api.securityscorecards.dev
  tags:
  - Security Health
  - Repositories
  - Supply Chain
  properties:
  - type: Documentation
    url: https://github.com/ossf/scorecard
  - type: Documentation
    url: https://scorecard.dev/
  - type: OpenAPI
    url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/openapi/openssf-scorecard-openapi.yml
  - type: JSONLDContext
    url: https://raw.githubusercontent.com/api-evangelist/openssf/refs/heads/main/json-ld/openssf-context.jsonld
- aid: openssf:sigstore-api
  name: Sigstore Public Good APIs
  description: >-
    Sigstore is an OpenSSF-hosted standard and service for signing, verifying, and protecting software. The
    public-good Sigstore instance exposes Fulcio (code-signing certificate authority) and Rekor (transparency log)
    APIs that can be queried programmatically to inspect signing certificates and transparency log entries.
  humanURL: https://www.sigstore.dev/
  baseURL: https://rekor.sigstore.dev
  tags:
  - Signing
  - Transparency Log
  - Supply Chain
  properties:
  - type: Documentation
    url: https://docs.sigstore.dev/
  - type: Documentation
    url: https://docs.sigstore.dev/logging/overview/
  - type: GitHubOrganization
    url: https://github.com/sigstore
- aid: openssf:guac-api
  name: GUAC (Graph for Understanding Artifact Composition)
  description: >-
    GUAC aggregates software supply-chain security metadata (SBOMs, attestations, vulnerabilities, signatures) into a
    queryable graph. GUAC exposes a GraphQL API for supply-chain queries when self-hosted.
  humanURL: https://guac.sh/
  baseURL: https://guac.sh
  tags:
  - SBOM
  - Supply Chain
  - GraphQL
  properties:
  - type: Documentation
    url: https://docs.guac.sh/
  - type: GitHubRepository
    url: https://github.com/guacsec/guac
  - url: graphql/openssf-graphql.md
    type: GraphQL
common:
- type: LinkedIn
  url: https://www.linkedin.com/company/openssf
- type: Website
  name: OpenSSF
  url: https://openssf.org/
- type: Documentation
  name: OpenSSF Documentation
  url: https://openssf.org/resources/
- type: Portal
  name: Projects Directory
  url: https://openssf.org/projects/
- type: Blog
  name: OpenSSF Blog
  url: https://openssf.org/blog/
- type: GitHubOrganization
  name: OpenSSF GitHub
  url: https://github.com/ossf
- type: GitHubRepository
  name: OSV Schema
  url: https://github.com/ossf/osv-schema
- type: GitHubRepository
  name: Scorecard
  url: https://github.com/ossf/scorecard
- type: GitHubOrganization
  name: Sigstore GitHub
  url: https://github.com/sigstore
- type: License
  name: Apache 2.0
  url: https://www.apache.org/licenses/LICENSE-2.0
- type: Community
  name: OpenSSF Community
  url: https://openssf.org/community/
- type: Slack
  name: OpenSSF Slack
  url: https://slack.openssf.org/
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com