This project is a formalized list of checks that can be run against an open source codebase and a Go-based tool to run those checks and provide a report on the project’s health. Here are a few of the checks it runs, to get an idea of what it’s all about:

• Does the project use fuzzing tools, e.g. OSS-Fuzz?
• Does the project cryptographically sign releases?
• Does the project contain a security policy?