Data

Tools

Indexes

Applications

Experiments

Open Source Science

gittuf

A security layer for Git repositories

https://github.com/gittuf/gittuf

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.8%) to scientific vocabulary

Keywords

access-control git git-security gittuf tuf
Last synced: 4 months ago · JSON representation ·

Repository

A security layer for Git repositories

Basic Info
  • Host: GitHub
  • Owner: gittuf
  • License: apache-2.0
  • Language: Go
  • Default Branch: main
  • Homepage: https://gittuf.dev
  • Size: 27.3 MB
Statistics
  • Stars: 536
  • Watchers: 19
  • Forks: 71
  • Open Issues: 97
  • Releases: 18
Topics
access-control git git-security gittuf tuf
Created about 3 years ago · Last pushed 5 months ago
Metadata Files
Readme Changelog Contributing License Citation Security Roadmap

README.md

gittuf logo

gittuf Verification Build and Tests (CI) Coverage Status OpenSSF Best Practices OpenSSF Scorecard

gittuf is a platform-agnostic Git security system. The maintainers of a Git repository can use gittuf to protect the contents of a Git repository from unauthorized or malicious changes. Most significantly, gittuf’s policy controls and enforcement is not tied to your source control platform (SCP) or “forge”, meaning any developer can independently verify that a repository’s changes followed the expected security policies. In other words, gittuf removes the forge as a single point of trust in the software supply chain!

gittuf is an incubating project at the Open Source Security Foundation (OpenSSF) as part of the Supply Chain Integrity Working Group.

Current Status

gittuf is currently in beta. gittuf's metadata is versioned, and updates should not require reinitializing a repository's gittuf policy. We recommend trying out gittuf in addition to existing repository security mechanisms you may already be using (e.g., forge security policies). We're actively seeking feedback from users, please open an issue with any suggestions or bugs you encounter!

Installation, Get Started, Get Involved

Take a look at the get started guide to learn how to install and try gittuf out! Additionally, contributions are welcome, please refer to the contributing guide, our roadmap, and the issue tracker for ways to get involved. In addition, you can join the gittuf channel on the OpenSSF Slack and say hello!

Owner

  • Name: gittuf
  • Login: gittuf
  • Kind: organization

A security layer for Git repositories

Citation (CITATION.bib) 

@inproceedings{yelgundhalli2025,
    author = {Aditya Sirish A Yelgundhalli and Patrick Zielinski and Reza Curtmola and Justin Cappos},
    title = {{Rethinking Trust in Forge-Based Git Security}},
    booktitle = {{32nd Network and Distributed System Security Symposium (NDSS 2025)}},
    year = {2025},
    isbn = {979-8-9894372-8-3},
    address = {San Diego, CA},
    url = {https://www.ndss-symposium.org/ndss-paper/rethinking-trust-in-forge-based-git-security/},
    publisher = {{Internet Society}},
}

Issues and Pull Requests

Last synced: 4 months ago

All Time
  • Total issues: 114
  • Total pull requests: 721
  • Average time to close issues: 3 months
  • Average time to close pull requests: 11 days
  • Total issue authors: 14
  • Total pull request authors: 35
  • Average comments per issue: 1.59
  • Average comments per pull request: 1.27
  • Merged pull requests: 380
  • Bot issues: 2
  • Bot pull requests: 228
Past Year
  • Issues: 51
  • Pull requests: 415
  • Average time to close issues: about 2 months
  • Average time to close pull requests: 6 days
  • Issue authors: 8
  • Pull request authors: 24
  • Average comments per issue: 1.12
  • Average comments per pull request: 1.33
  • Merged pull requests: 180
  • Bot issues: 0
  • Bot pull requests: 102
View more stats
Top Authors
Issue Authors
  • adityasaky (52)
  • patzielinski (41)
  • neilnaveen (9)
  • lukpueh (6)
  • flandweber (3)
  • jas4711 (2)
  • haotran-california (2)
  • dependabot[bot] (2)
  • alanssitis (1)
  • hythloda (1)
  • stiankri-telenor (1)
  • eyeaadil (1)
  • nealmcb (1)
  • Sylani-55 (1)
  • fahdfady (1)
Pull Request Authors
  • adityasaky (254)
  • dependabot[bot] (246)
  • patzielinski (78)
  • Sylani-55 (51)
  • neilnaveen (37)
  • fr0m-scratch (12)
  • zsun6 (11)
  • Abhinav00077 (10)
  • yongjae354 (9)
  • alanssitis (5)
  • shivpratikhande (5)
  • Yasho-Bapat (5)
  • lukpueh (5)
  • Krishna-Sharma-g (4)
  • Raghava-Gatadi (4)
Top Labels
Issue Labels
discussion (49) bug (28) enhancement (27) good first issue (18) tests (5) roadmap (4) go (4) documentation (4) help wanted (3) dependencies (2) experimental (1) governance (1) github_actions (1)
Pull Request Labels
dependencies (245) github_actions (139) go (108) enhancement (1) good first issue (1)

Dependencies

.github/workflows/ci.yml actions
  • actions/checkout 8ade135a41bc03ea155e62e844d188df1ea18608 composite
  • actions/setup-go 93397bea11091df50f3d7e59dc26a7711a8bcfbe composite
.github/workflows/lint.yml actions
  • actions/checkout 8ade135a41bc03ea155e62e844d188df1ea18608 composite
  • actions/setup-go 93397bea11091df50f3d7e59dc26a7711a8bcfbe composite
  • golangci/golangci-lint-action 3a919529898de77ec3da873e3063ca4b10e7f5cc composite
go.mod go
  • dario.cat/mergo v1.0.0
  • github.com/Microsoft/go-winio v0.6.1
  • github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371
  • github.com/acomagu/bufpipe v1.0.4
  • github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
  • github.com/blang/semver v3.5.1+incompatible
  • github.com/cloudflare/circl v1.3.3
  • github.com/containerd/stargz-snapshotter/estargz v0.14.3
  • github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7
  • github.com/cyphar/filepath-securejoin v0.2.4
  • github.com/davecgh/go-spew v1.1.1
  • github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352
  • github.com/digitorus/timestamp v0.0.0-20230821155606-d1ad5ca9624c
  • github.com/docker/cli v24.0.0+incompatible
  • github.com/docker/distribution v2.8.2+incompatible
  • github.com/docker/docker v24.0.0+incompatible
  • github.com/docker/docker-credential-helpers v0.7.0
  • github.com/emirpasic/gods v1.18.1
  • github.com/fsnotify/fsnotify v1.6.0
  • github.com/gabriel-vasile/mimetype v1.4.2
  • github.com/github/smimesign v0.2.0
  • github.com/go-chi/chi v4.1.2+incompatible
  • github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376
  • github.com/go-git/go-billy/v5 v5.5.0
  • github.com/go-git/go-git/v5 v5.9.0
  • github.com/go-logr/logr v1.2.4
  • github.com/go-logr/stdr v1.2.2
  • github.com/go-openapi/analysis v0.21.4
  • github.com/go-openapi/errors v0.20.4
  • github.com/go-openapi/jsonpointer v0.19.6
  • github.com/go-openapi/jsonreference v0.20.2
  • github.com/go-openapi/loads v0.21.2
  • github.com/go-openapi/runtime v0.26.0
  • github.com/go-openapi/spec v0.20.9
  • github.com/go-openapi/strfmt v0.21.7
  • github.com/go-openapi/swag v0.22.4
  • github.com/go-openapi/validate v0.22.1
  • github.com/go-playground/locales v0.14.1
  • github.com/go-playground/universal-translator v0.18.1
  • github.com/go-playground/validator/v10 v10.15.1
  • github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
  • github.com/golang/protobuf v1.5.3
  • github.com/golang/snappy v0.0.4
  • github.com/google/certificate-transparency-go v1.1.6
  • github.com/google/go-containerregistry v0.16.1
  • github.com/google/trillian v1.5.2
  • github.com/hashicorp/go-cleanhttp v0.5.2
  • github.com/hashicorp/go-retryablehttp v0.7.4
  • github.com/hashicorp/hcl v1.0.0
  • github.com/in-toto/in-toto-golang v0.9.0
  • github.com/inconshreveable/mousetrap v1.1.0
  • github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
  • github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b
  • github.com/jonboulle/clockwork v0.4.0
  • github.com/josharian/intern v1.0.0
  • github.com/kevinburke/ssh_config v1.2.0
  • github.com/klauspost/compress v1.16.5
  • github.com/leodido/go-urn v1.2.4
  • github.com/letsencrypt/boulder v0.0.0-20230125211608-3866e4f60ddd
  • github.com/magiconair/properties v1.8.7
  • github.com/mailru/easyjson v0.7.7
  • github.com/mitchellh/go-homedir v1.1.0
  • github.com/mitchellh/mapstructure v1.5.0
  • github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481
  • github.com/oklog/ulid v1.3.1
  • github.com/opencontainers/go-digest v1.0.0
  • github.com/opencontainers/image-spec v1.1.0-rc4
  • github.com/opentracing/opentracing-go v1.2.0
  • github.com/pelletier/go-toml/v2 v2.0.8
  • github.com/pjbgf/sha1cd v0.3.0
  • github.com/pkg/errors v0.9.1
  • github.com/pmezard/go-difflib v1.0.0
  • github.com/sassoftware/relic v7.2.1+incompatible
  • github.com/secure-systems-lab/go-securesystemslib v0.7.1-0.20230801180332-1e75bb347966
  • github.com/sergi/go-diff v1.3.1
  • github.com/shibumi/go-pathspec v1.3.0
  • github.com/sigstore/cosign/v2 v2.2.0
  • github.com/sigstore/gitsign v0.7.1
  • github.com/sigstore/protobuf-specs v0.1.0
  • github.com/sigstore/rekor v1.2.2
  • github.com/sigstore/sigstore v1.7.3
  • github.com/sigstore/timestamp-authority v1.1.2
  • github.com/sirupsen/logrus v1.9.3
  • github.com/skeema/knownhosts v1.2.0
  • github.com/spf13/afero v1.9.5
  • github.com/spf13/cast v1.5.1
  • github.com/spf13/cobra v1.7.0
  • github.com/spf13/jwalterweatherman v1.1.0
  • github.com/spf13/pflag v1.0.5
  • github.com/spf13/viper v1.16.0
  • github.com/stretchr/testify v1.8.4
  • github.com/subosito/gotenv v1.4.2
  • github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d
  • github.com/theupdateframework/go-tuf v0.6.1
  • github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
  • github.com/transparency-dev/merkle v0.0.2
  • github.com/vbatts/tar-split v0.11.3
  • github.com/xanzy/ssh-agent v0.3.3
  • go.mongodb.org/mongo-driver v1.11.3
  • go.opentelemetry.io/otel v1.16.0
  • go.opentelemetry.io/otel/metric v1.16.0
  • go.opentelemetry.io/otel/trace v1.16.0
  • go.uber.org/multierr v1.11.0
  • go.uber.org/zap v1.25.0
  • golang.org/x/crypto v0.13.0
  • golang.org/x/exp v0.0.0-20230321023759-10a507213a29
  • golang.org/x/mod v0.12.0
  • golang.org/x/net v0.15.0
  • golang.org/x/sync v0.3.0
  • golang.org/x/sys v0.12.0
  • golang.org/x/term v0.12.0
  • golang.org/x/text v0.13.0
  • golang.org/x/tools v0.13.0
  • google.golang.org/genproto v0.0.0-20230803162519-f966b187b2e5
  • google.golang.org/genproto/googleapis/api v0.0.0-20230803162519-f966b187b2e5
  • google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577
  • google.golang.org/grpc v1.57.0
  • google.golang.org/protobuf v1.31.0
  • gopkg.in/go-jose/go-jose.v2 v2.6.0
  • gopkg.in/ini.v1 v1.67.0
  • gopkg.in/square/go-jose.v2 v2.6.0
  • gopkg.in/warnings.v0 v0.1.2
  • gopkg.in/yaml.v2 v2.4.0
  • gopkg.in/yaml.v3 v3.0.1
  • k8s.io/klog/v2 v2.100.1
  • sigs.k8s.io/yaml v1.3.0
go.sum go
  • 875 dependencies
.github/workflows/release.yml actions
  • actions/checkout b4ffde65f46336ab88eb53be808477a3936bae11 composite
  • actions/setup-go 93397bea11091df50f3d7e59dc26a7711a8bcfbe composite
  • goreleaser/goreleaser-action 7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 composite
  • sigstore/cosign-installer 11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 composite