Skip to content

Security Baseline Implementation

OpenSSF Security Baseline describes a set of security best practices to help open source projects establish and maintain a consistent security posture. The guidance in the Baseline is derived from multiple existing cybersecurity standards and tailored to address open source projects. Controls and specific requirements are coded based on project maturity: level 1 assessments are designed to apply to projects of all sizes, while level 3 guidance aims to apply to large, multi-stakeholder software efforts. The baseline provides actionable guidance on critical security practices such as access control, code review processes, vulnerability disclosure, testing, documentation, and build process.

The Custcodian team actively participates in the OpenSSF Security Baseline process and maintains a collection of minder rules and profiles which implement the Baseline security assessment (currently, level 1) at https://github.com/custcodian/minder-rules-and-profiles

These rules are designed to automatically measure and improve compliance with the OpenSSF Security Baseline (OSPS). The Custcodian team regularly contributes improvements upstream to the OpenSSF Minder rules repository; you can use either repository depending on your needs -- the Custcodian repository will receive updates first, while the Minder repository will only receive full, stable updates.

Syncing and Applying OSPS Baseline Rules

To sync and apply the OSPS Baseline rules to your GitHub repositories through the Custcodian hosted Minder instance:

  1. Clone the minder rules repository: 

    git clone https://github.com/custcodian/minder-rules-and-profiles.git

  2. Install and configure the minder CLI tool.

  3. Install Minder on your GitHub organization, and associate it with your Minder project.

  4. Register specific repositories you want to assess.

  5. From the minder-rules-and-profiles repository, apply the Baseline profile and rules using Minder: 

    minder apply -f security-baseline

Additional information

For more information on the OpenSSF Security Baseline, visit: https://baseline.openssf.org/

For more information on OpenSSF Minder, visit: https://mindersec.dev/