Q001 — Comprehensive CI Gate Adoption Rates in OSS — Low
Contents
Summary
Query: What fraction of open source projects on GitHub enforce comprehensive CI gate tooling — specifically static analysis (SAST), dependency/vulnerability scanning (SCA), container image scanning, strict type checking, and code coverage thresholds — as required checks on every commit or pull request? How does adoption vary by project size, programming language ecosystem, and whether the project is backed by a foundation or company versus community-maintained?
Bottom Line: The fraction of OSS projects enforcing comprehensive CI gate tooling is unmeasured but almost certainly very small (likely single-digit percentages). Dependency update tools show the highest adoption (Dependabot 69.2%, Renovate 21.0% in GHA workflows), but these primarily update Action versions, not scan for vulnerabilities. SAST adoption is poorly quantified and appears low. Container scanning, type checking enforcement, and coverage threshold enforcement are essentially unquantified for the OSS ecosystem. No study measures co-adoption of all five tool categories simultaneously.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
Overall SAST adoption in open source CI pipelines |
0 |
0 |
| S02 |
SCA and dependency scanning adoption in open source CI |
? |
? |
| S03 |
Code coverage, container scanning, and type checking enforce |
? |
? |
| S04 |
Comprehensive CI gate adoption — all tools simultaneously |
? |
? |
| S05 |
Adoption variation by project size, language, and governance |
? |
? |
| S06 |
Overall SAST adoption in open source CI pipelines |
0 |
0 |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC003 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
High |
High |
| SRC004 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC005 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
| SRC006 |
https://www.sonatype.com/press-releases/sonatypes-10th-annua |
High |
High |
| SRC007 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC008 |
https://github.com/ossf/scorecard |
High |
High |
| SRC009 |
https://blog.jetbrains.com/teamcity/2025/10/the-state-of-cic |
Medium |
Medium |
| SRC010 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC011 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC012 |
https://thenewstack.io/checking-linuxs-code-with-static-anal |
High |
High |
| SRC013 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Limited |
| Source agreement |
Low |
Revisit Triggers
- [study] A mining study analyzing GitHub Actions workflows for co-presence of SAST, SCA, container scanning, and other security tools is published.
- [data_update] GitHub publishes data on CodeQL, Dependabot security alert, or secret scanning adoption rates.
- [data_update] OpenSSF Scorecard publishes aggregate pass/fail rates for individual checks across their 1M project dataset.
- [organization] CNCF, Apache Foundation, or Linux Foundation publishes CI security tooling adoption data for their member projects.
← Back to run overview