A comprehensive set of security instructions and resources that help developers build secure applications following OpenSSF (Open Source Security Foundation) best practices.

Supports both Claude Code and GitHub Copilot.

• Threat Modeling: STRIDE methodology guide with templates
• Security Policies: SECURITY.md and vulnerability disclosure templates
• OpenSSF Scorecard: All 19 checks explained with remediation steps
• OSPS Baseline: Level 1 compliance checklist
• SBOM Generation: Tools for 12+ languages/ecosystems
• SLSA Provenance: GitHub Actions workflows for Level 3
• Dependency Security: Scanning tools and vulnerability response
• Security Code Review: OWASP Top 10 focused review guide
• Secrets Scanning: Gitleaks, TruffleHog, detect-secrets, and pre-commit hooks
• Artifact Signing: Sigstore/Cosign keyless signing with Fulcio and Rekor
• Container Security: Dockerfile hardening, Trivy/Grype scanning, distroless images
• OpenSSF Best Practices Badge: Self-certification guide for Passing/Silver/Gold levels
• GitLab CI Support: Security workflow templates for GitLab CI/CD pipelines
• Multi-Language Copilot Instructions: Secure coding patterns for 8+ languages

Copy the Copilot instructions file to your repository:

# Create .github directory if it doesn't exist
mkdir -p .github

# Download the instructions file
curl -o .github/copilot-instructions.md \
  https://raw.githubusercontent.com/ryanwaite/openssf-skill/main/.github/copilot-instructions.md

Then enable custom instructions in VS Code:

1. Open Settings (Cmd+, or Ctrl+,)
2. Search for "Copilot instruction"
3. Enable github.copilot.chat.codeGeneration.useInstructionFiles

Copilot will now apply OpenSSF security best practices to all code suggestions in that repository.

# Clone directly to your global skills directory
git clone https://github.com/ryanwaite/openssf-skill.git ~/.claude/skills/openssf

# Clone into your project's .claude/skills directory
mkdir -p .claude/skills
git clone https://github.com/ryanwaite/openssf-skill.git .claude/skills/openssf

Then invoke the skill in any project with /openssf.

The most simple way to get started is:

1. Start GitHub Copilot or Claude Code
2. cd to the root of an open source project
3. Run /openssf what can you do for me?

Additional options are below.

Invoke the skill with /openssf, then:

• "Help me create a threat model for my authentication system"
• "Generate a SECURITY.md for this project"
• "What OpenSSF Scorecard checks am I failing?"
• "Set up SBOM generation for my releases"
• "Review this code for security issues"

The skill will:

1. Assess your project's current security posture
2. Detect languages and existing security artifacts
3. Recommend prioritized security improvements
4. Guide you through creating security artifacts

This walkthrough demonstrates using the OpenSSF skill with GitHub Copilot to assess and improve the security posture of an open source repository.

Start by invoking the OpenSSF skill in your project:

The skill looks at the project and provides an assessment of the overall project:

The skill provides a comprehensive list of security features it can help with:

The skill provides a prioritized list of what to do next along with the approximate time to complete each activity:

In this walkthrough we go with the recommendation to start with running Scorecard:

The skill spins up a container, runs the Scorecard analysis, and provides the results:

From here, you can use the skill to keep implementing changes.

openssf-skill/
├── .github/
│   └── copilot-instructions.md  # GitHub Copilot instructions
├── SKILL.md                      # Claude Code skill file
├── CONTRIBUTING.md               # Contribution guidelines
├── scripts/
│   └── assess-project.py         # Project security assessment
├── tests/
│   └── test_assess_project.py    # Unit tests (50 tests)
├── templates/
│   ├── SECURITY.md.template
│   ├── threat-model.md.template
│   └── vulnerability-disclosure-policy.md.template
├── workflows/
│   ├── scorecard.yml.template
│   ├── slsa-provenance.yml.template
│   ├── sbom-generation.yml.template
│   ├── dependency-review.yml.template
│   └── gitlab-ci-security.yml.template  # GitLab CI/CD
└── references/
    ├── threat-modeling/          # STRIDE methodology
    ├── scorecard/                # All 19 checks + remediation
    ├── osps-baseline/            # Compliance checklists
    ├── sbom/                     # Language-specific tools
    ├── slsa/                     # Supply chain security
    ├── dependency-security/      # Vulnerability scanning
    ├── security-policies/        # Policy creation guides
    ├── security-requirements/    # Requirements checklist
    ├── code-review/              # Security review guide
    ├── secrets-scanning/         # Secret leak prevention
    ├── signing/                  # Sigstore/Cosign guide
    ├── container-security/       # Docker hardening
    └── best-practices-badge/     # OpenSSF Badge guide

Contributions are welcome! See CONTRIBUTING.md for detailed guidelines, content standards, and testing instructions.

Quick start:

1. Fork the repository
2. Create a feature branch
3. Make your changes (run python3 -m unittest discover tests/ -v to validate)
4. Submit a pull request

MIT License - see LICENSE for details.

• OpenSSF Best Practices
• OpenSSF Scorecard
• SLSA Framework
• OSPS Baseline
• OWASP Top 10
• GitHub Copilot Custom Instructions

Built following OpenSSF guidelines and recommendations for secure software development.