Q001 — Comprehensive CI Gate Adoption Is Near Zero — Medium
Contents
Summary
Query: What fraction of open source projects on GitHub enforce comprehensive CI gate tooling — specifically static analysis (SAST), dependency/vulnerability scanning (SCA), container image scanning, strict type checking, and code coverage thresholds — as required checks on every commit or pull request? How does adoption vary by project size, programming language ecosystem, and whether the project is backed by a foundation or company versus community-maintained?
Bottom Line: The fraction of open source projects enforcing all five CI gate categories as required checks is negligibly small — likely well below 0.1% of all GitHub projects. Individual tool adoption is measurable but low: CodeQL at ~200K repos, Dependabot at ~846K repos. No data exists for container scanning, type checking, or coverage threshold enforcement as blocking checks in OSS CI.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
SAST adoption rates in open source CI pipelines |
? |
? |
| S02 |
SAST adoption rates in open source CI pipelines |
? |
? |
| S03 |
SCA/dependency scanning adoption rates in open source |
? |
? |
| S04 |
Container image scanning and type checking adoption in OSS C |
? |
? |
| S05 |
Code coverage thresholds as blocking CI checks in OSS |
? |
? |
| S06 |
Adoption variation by project size, ecosystem, and governanc |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://decan.lexpage.net/files/SANER-2022a.pdf |
High |
High |
| SRC003 |
https://www.sciencedirect.com/science/article/abs/pii/S01641 |
High |
High |
| SRC004 |
https://blog.jetbrains.com/teamcity/2026/03/best-ci-tools/ |
Medium |
Medium |
| SRC005 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC006 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC009 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC010 |
https://embeddedbits.org/how-is-the-linux-kernel-tested-embe |
Medium |
High |
| SRC011 |
https://www.kernel.org/doc/html/v6.5/dev-tools/testing-overv |
High |
High |
| SRC012 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC013 |
https://www.nist.gov/news-events/news/2026/04/nist-updates-n |
High |
High |
| SRC014 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC015 |
https://contribute.cncf.io/resources/services/hosted-tools/ |
High |
Medium |
| SRC016 |
https://www.linuxfoundation.org/research/maintainer-perspect |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Limited |
| Source agreement |
Medium |
Revisit Triggers
- [study] A study mines GitHub API data to measure combined adoption of multiple CI gate categories (SAST + SCA + others) as required checks.
- [data_update] GitHub publishes aggregate data on code scanning, Dependabot, and branch protection rule adoption rates.
- [data_update] OpenSSF publishes adoption statistics for specific Scorecard checks (CI, SAST, vulnerability scanning) across the 1M critical projects.
- [policy] A foundation (CNCF, Apache, Linux Foundation) mandates specific CI gate requirements for graduated projects, creating a measurable population.
← Back to run overview