Q001 — Security Tool Adoption Rates in OSS CI Pipelines — Input¶
Contents¶
Original Text¶
What fraction of open source projects on GitHub enforce comprehensive CI gate tooling — specifically static analysis (SAST), dependency/vulnerability scanning (SCA), container image scanning, strict type checking, and code coverage thresholds — as required checks on every commit or pull request? How does adoption vary by project size, programming language ecosystem, and whether the project is backed by a foundation or company versus community-maintained?
Clarified for Testability¶
What is the measured adoption rate of comprehensive CI security and quality gate tooling among open source projects on GitHub? Specifically, what percentage of projects enforce all of the following as required CI checks on pull requests or commits: (1) static application security testing (SAST), (2) software composition analysis / dependency vulnerability scanning (SCA), (3) container image scanning, (4) strict type checking (e.g., mypy, TypeScript strict mode), and (5) code coverage thresholds? Additionally, how does adoption of these tools vary across three dimensions: project size (stars, contributors, lines of code), programming language ecosystem (Python, JavaScript/TypeScript, Go, Rust, Java, etc.), and governance model (foundation-backed vs. corporate-backed vs. community-maintained)?
Embedded Assumptions Surfaced¶
- Assumes 'comprehensive' means all five categories listed must be present simultaneously — projects with only some of these tools would not qualify.
- Assumes these specific tool categories represent the correct definition of 'comprehensive' CI gates — other categories (e.g., license scanning, secrets detection, DAST) are excluded.
- Assumes 'required checks' means GitHub branch protection rules or equivalent enforcement, not merely that the tools exist in the repository.
- Assumes that GitHub is representative of open source CI practices broadly — projects on GitLab, Bitbucket, or self-hosted platforms may differ.
Scope¶
| Dimension | Value |
|---|---|
| Domain | Software engineering — CI/CD security tooling adoption in open source |
| Timeframe | Current state as of 2024-2026 |
| Testability | Partially testable via mining studies of GitHub Actions workflows, academic surveys of CI configurations, and industry reports on DevSecOps adoption. Full comprehensive-gate measurement is likely not available as a single published figure. |
Vocabulary Map¶
Primary Terms: SAST, SCA, container scanning, type checking, code coverage, CI gates, required checks, branch protection
Domain Variants: static analysis, dependency scanning, vulnerability scanning, image scanning, DevSecOps, shift-left security, security gates
Related Concepts: GitHub Actions, CI/CD pipeline, branch protection rules, required status checks, pre-merge checks, quality gates, security scanning adoption