ossf/malicious-packages

0

/ 100

Documentation82
Engineering87
Health100
Go555Apache-2.01d ago
Grade a repo

Polished and well engineered. Punching above its star count.

A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

Documentation

82

README12pt65

This repository is large enough that GitHub truncated the file tree. The scan is based on a partial file list, so some checks may under-report.

Contributing guide5pt89

Contributing guide is detailed and thorough.

Install and run instructions9pt90

README documents how to install the project.

License6pt100

Licensed under Apache-2.0.

Engineering

87

Issue and PR templates6pt0

No issue or PR templates found (−100 pts).

Add .github/ISSUE_TEMPLATE/ with bug_report.md and feature_request.md to guide contributors. It dramatically improves issue quality.

Reproducibility6pt95

Lockfile present (go.sum). Installs are reproducible.

Tests18pt100

Test files detected (cmd/ingest/startkeys/startkeys_test.go).

CI/CD14pt100

CI is configured (.github/workflows/ci.yml).

Linting and formatting5pt100

Formatting enforced (.golangci.yml).

Project health

100

Dependency manifest6pt100

Dependency manifest found (go.mod).

Repository metadata5pt100

Repository has a description.

Activity5pt100

Actively maintained (pushed within the last month).

Housekeeping3pt100

.gitignore present.

Repository health signals

Activity, community, and responsiveness at scan time

Activity

  • Commits (30d / 90d)
  • 113
    Forks
  • 0
    Releases

Community

  • Community health
  • authors own >50% of commits
  • 555
    Watchers

Responsiveness

  • 3d 22h
    Median issue response
  • 7h
    Median PR merge time
  • 39
    Open issues
Repository files16 root entries
  • .github
    Good: CI is configured (.github/workflows/ci.yml).
    Good: Dependabot covers 2 ecosystems (gomod, github-actions). Dependencies stay current.
  • cmd
    Good: Test files detected (cmd/ingest/startkeys/startkeys_test.go).
  • config
  • docs
  • internal
  • osv
  • .gitignore
    Good: .gitignore present.
  • .golangci.yml
    Good: Formatting enforced (.golangci.yml).
  • CODE_OF_CONDUCT.md
    Good: Code of conduct present.
  • CONTRIBUTING.md
    Good: Contributing guide is detailed and thorough.
    Good: Contributing guide includes setup/install instructions.
    Issue: Contributing guide lacks a code style section (−8 pts).Fix: Describe your linting/formatting rules and how to run them.
    Issue: Contributing guide lacks a testing section (−8 pts).Fix: Show contributors how to run the test suite (e.g. npm test, pytest, cargo test).
    Good: Contributing guide describes the PR/review workflow.
    Good: Contributing guide includes code examples.
  • go.mod
    Good: Dependency manifest found (go.mod).
  • go.sum
    Good: Lockfile present (go.sum). Installs are reproducible.
  • LICENSE
    Good: Licensed under Apache-2.0.
  • Makefile
  • README.md
    Good: README is present.
    Good: README is well structured with multiple sections.
    Issue: No screenshots or images in the README (−20 pts).Fix: Add a GIF, screenshot, or logo image. It is the fastest way to show what your project does.
    Issue: README has no code examples (−15 pts).Fix: Show a quick-start snippet so contributors can see what using your project looks like.
    Good: README links to a live demo or deployed app.
    Good: README includes status badges.
    Good: README documents how to install the project.
    Good: README documents how to run the project.
  • SECURITY.md
    Good: Security policy present.