The Open Source Security Foundation (OpenSSF) is a collaborative initiative under the Linux Foundation dedicated to improving the security of open source software. It brings together industry leaders, developers, and security experts to address vulnerabilities, enhance supply chain security, and develop security tools and best practices. OpenSSF stewards a number of projects with public REST APIs, including the OSV (Open Source Vulnerabilities) database, the Scorecard automated security health-check service, and Sigstore signing infrastructure.
URL: Visit APIs.json URL
- Type: Index
- Position: Consumer
- Access: 3rd-Party
- Linux Foundation, Open Source, Security, Supply Chain, Vulnerabilities
- Created: 2026-03-16
- Modified: 2026-04-28
OSV is an OpenSSF-hosted distributed vulnerability database and query infrastructure. The OSV API at api.osv.dev exposes vulnerability records keyed to specific package versions or commits across multiple ecosystems including npm, PyPI, Maven, Go, NuGet, RubyGems, Cargo, Packagist, Hex, OSS-Fuzz, Linux, Android, and GitHub Actions.
Human URL: https://osv.dev/
Base URL: https://api.osv.dev
- Vulnerabilities, Supply Chain, Database, Open Source
The OpenSSF Scorecard API returns automated security health metrics for public open source repositories. Scorecard runs a series of checks (e.g., Branch-Protection, Code-Review, Pinned-Dependencies, Signed-Releases, Token-Permissions, Vulnerabilities) and exposes per-check scores plus an aggregate 0-10 score via api.securityscorecards.dev.
Human URL: https://scorecard.dev/
Base URL: https://api.securityscorecards.dev
- Security Health, Repositories, Supply Chain
Sigstore is an OpenSSF-hosted standard and service for signing, verifying, and protecting software. The public-good Sigstore instance exposes Fulcio (code-signing certificate authority) and Rekor (transparency log) APIs that can be queried programmatically to inspect signing certificates and transparency log entries.
Human URL: https://www.sigstore.dev/
Base URL: https://rekor.sigstore.dev
- Signing, Transparency Log, Supply Chain
GUAC aggregates software supply-chain security metadata (SBOMs, attestations, vulnerabilities, signatures) into a queryable graph. GUAC exposes a GraphQL API for supply-chain queries when self-hosted.
Human URL: https://guac.sh/
- SBOM, Supply Chain, GraphQL
- Website
- Documentation
- Projects Portal
- Blog
- GitHubOrganization
- OSV Schema Repo
- Scorecard Repo
- Sigstore GitHub
- License - Apache 2.0
- Community
- Slack
FN: Kin Lane
Email: kin@apievangelist.com