Q001 — Comprehensive CI Gate Adoption Rates in OSS — Input

Contents

• Original Text
• Clarified for Testability
• Embedded Assumptions Surfaced
• Scope
• Vocabulary Map

Original Text

What fraction of open source projects on GitHub enforce comprehensive CI gate tooling — specifically static analysis (SAST), dependency/vulnerability scanning (SCA), container image scanning, strict type checking, and code coverage thresholds — as required checks on every commit or pull request? How does adoption vary by project size, programming language ecosystem, and whether the project is backed by a foundation or company versus community-maintained?

Clarified for Testability

What is the measured or estimated proportion of open source projects on GitHub that enforce a comprehensive CI gate suite — including static application security testing (SAST), software composition analysis / dependency vulnerability scanning (SCA), container image scanning, strict type checking (e.g., mypy --strict, TypeScript strict mode), and code coverage thresholds — as required status checks on pull requests or commits? How does this adoption rate vary by: (a) project size (stars, contributors, lines of code), (b) programming language ecosystem (Python, JavaScript/TypeScript, Java, Go, Rust, etc.), and (c) governance model (foundation-backed, corporate-backed, vs. community-maintained)?

Embedded Assumptions Surfaced

• Assumes 'comprehensive' means the simultaneous use of all listed tool categories, not any single one.
• Assumes 'enforce' means configured as required status checks (branch protection rules), not just present in CI configuration.
• Assumes measurable data exists disaggregated by project size, language, and governance model.

Scope

Dimension	Value
Domain	Software engineering — CI/CD tooling adoption in open source
Timeframe	2022-2025
Testability	Answerable through mining studies of GitHub Actions workflows, branch protection API data, and surveys of CI configuration files across large repository samples.

Vocabulary Map

Primary Terms: SAST, SCA, CI gate, required checks, code coverage threshold, container scanning, type checking

Domain Variants: static analysis, dependency scanning, vulnerability scanning, branch protection, status checks, quality gates, security gates

Related Concepts: CodeQL, Semgrep, SonarQube, Snyk, Trivy, Dependabot, GitHub Actions, CI pipeline, DevSecOps

← Back to item overview