Contents
Summary
Query: What fraction of open source projects on GitHub enforce comprehensive CI gate tooling — specifically static analysis (SAST), dependency/vulnerability scanning (SCA), container image scanning, strict type checking, and code coverage thresholds — as required checks on every commit or pull request? How does adoption vary by project size, programming language ecosystem, and whether the project is backed by a foundation or company versus community-maintained?
Bottom Line: Security tool adoption in open source CI is highly uneven: SCA (Dependabot) at ~69%, SAST (CodeQL) at 10-30%. Container scanning, type checking, and coverage threshold data are unmeasured. The primary adoption driver is platform integration/defaults, not security awareness. Comprehensive gate adoption (all categories simultaneously) is extremely rare and unquantified.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
SAST tool adoption rates in open source CI pipelines |
0 |
0 |
| S02 |
SCA and dependency scanning adoption in open source |
0 |
0 |
| S03 |
Code coverage thresholds as CI gates in open source |
0 |
0 |
| S04 |
Adoption variation by project size, language, and governance |
0 |
0 |
| S05 |
SAST tool adoption rates in open source CI pipelines |
0 |
0 |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC002 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC003 |
https://github.com/ossf/scorecard |
High |
High |
| SRC004 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
Medium |
High |
| SRC005 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC006 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC009 |
https://konvu.com/compare/semgrep-vs-codeql |
Medium |
High |
| SRC010 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC011 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC012 |
https://openssf.org/blog/2024/01/31/maintainer-motivations-c |
High |
High |
| SRC013 |
https://link.springer.com/article/10.1007/s10664-023-10369-w |
High |
Medium |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Medium |
| Source agreement |
Medium |
Revisit Triggers
- [study] A comprehensive study measuring adoption of multiple security tool categories simultaneously in OSS CI is published
- [organization] GitHub publishes official CodeQL or code scanning adoption statistics
- [data_update] OpenSSF Security Baseline adoption statistics become available
- [study] A mining study of container scanning tool presence in GitHub repositories is published
- [time] 12 months after this research — the rapidly evolving GitHub Actions ecosystem warrants periodic remeasurement
← Back to run overview