Q001 — Comprehensive CI Gate Adoption Is Near Zero — Input

Contents

• Original Text
• Clarified for Testability
• Embedded Assumptions Surfaced
• Scope
• Vocabulary Map

Original Text

What fraction of open source projects on GitHub enforce comprehensive CI gate tooling — specifically static analysis (SAST), dependency/vulnerability scanning (SCA), container image scanning, strict type checking, and code coverage thresholds — as required checks on every commit or pull request? How does adoption vary by project size, programming language ecosystem, and whether the project is backed by a foundation or company versus community-maintained?

Clarified for Testability

What is the measured adoption rate of comprehensive CI security and quality gate tooling among open source projects on GitHub, where 'comprehensive' means enforcing all of: (1) static application security testing (SAST), (2) software composition analysis / dependency vulnerability scanning (SCA), (3) container image scanning, (4) strict type checking, and (5) code coverage thresholds — configured as required (blocking) checks on pull requests or commits? Additionally, what evidence exists for how this adoption rate varies across three dimensions: project size (by stars, contributors, or downloads), programming language ecosystem, and governance model (foundation-backed, corporate-backed, or community-maintained)?

Embedded Assumptions Surfaced

• Assumes that 'comprehensive CI gate tooling' requires ALL five categories simultaneously — very few projects may meet this bar.
• Assumes these five categories constitute a reasonable definition of 'comprehensive' — other categories (secrets scanning, license compliance, SBOM generation) are excluded.
• Assumes 'required checks' means GitHub branch protection rules enforcing status checks, which is a GitHub-specific mechanism.
• Assumes the question is about current state, not historical trends.

Scope

Dimension	Value
Domain	Software engineering — CI/CD tooling adoption in open source ecosystems
Timeframe	Current (2024-2025)
Testability	Partially testable via mining GitHub API for workflow files, branch protection settings (where public), and published surveys; fully comprehensive measurement may not exist.

Vocabulary Map

Primary Terms: SAST, SCA, container scanning, type checking, code coverage, CI gates, required checks, branch protection

Domain Variants: static analysis, dependency scanning, vulnerability scanning, image scanning, coverage threshold, quality gates, merge checks, status checks

Related Concepts: DevSecOps, shift left, security tooling adoption, CI/CD maturity model, GitHub Actions security, CodeQL, Semgrep, Trivy, Snyk

← Back to item overview