Q001 — Comprehensive CI Gate Adoption Is Near Zero — Assessment¶
Contents¶
The fraction of open source projects enforcing all five CI gate categories as required checks is negligibly small — likely well below 0.1% of all GitHub projects. Individual tool adoption is measurable but low: CodeQL at ~200K repos, Dependabot at ~846K repos. No data exists for container scanning, type checking, or coverage threshold enforcement as blocking checks in OSS CI.
Evidence Synthesis¶
Evidence quality: Limited — No single study measures comprehensive CI gate adoption (all five categories). Data points are fragmented: CodeQL has ~200K repos, Dependabot ~846K repos, but no data on container scanning, type checking enforcement, or coverage thresholds as blocking checks.
Source agreement: Medium — Sources agree that individual tool adoption is low relative to the total GitHub population. CodeQL: ~200K repos out of 300M+. Dependabot: ~846K repos. But sources don't address the combined adoption question.
Independence: Data points come from independent sources (GitHub for CodeQL, Dependabot Alternative analysis for Dependabot, Chainguard for Scorecard language variation).
Probability Assessment¶
Confidence: Medium
Evidence Gaps¶
Expected but not found: - Study measuring the combined adoption of multiple CI security gate categories. - Data on container image scanning adoption rates in OSS CI. - Data on strict type checking enforcement in OSS CI. - Data on coverage threshold enforcement as blocking CI checks. - Stratified adoption data by project size, language, and governance model.
Unanswered questions: - What fraction of active (recently committed) GitHub projects enforce any security scanning as a required CI check? - How do CNCF/Apache/LF graduated projects compare to community-maintained projects in CI gate adoption? - What is the adoption rate for each tool category among the top 1,000 or top 10,000 most-starred GitHub projects?
Impact on confidence: The primary gap — absence of any study measuring combined CI gate adoption — means the answer is assembled from fragmentary data points. Confidence is medium because the directional finding (very low adoption) is consistent across all data points, even though precise measurement is unavailable.