OSSGuard

OSSGuard is a web app (with optional GitHub/GitLab app) that continuously monitors your open-source dependencies for risky maintainer changes and governance red flags—not just CVEs. It tracks signals like sudden maintainer turnover, repo ownership transfers, unusual release cadence spikes, new publish permissions, dependency confusion risks, and suspicious package metadata edits. It then produces an actionable “trust score” per dependency, plus a short explanation and recommended mitigations (pin versions, switch forks, add allowlists, require provenance, or replace packages). It’s a combination traditional + AI app: traditional pipelines ingest repo/package registry events, while AI summarizes risk narratives and drafts PR comments and security tickets. The goal is to catch the kinds of social/operational supply-chain events that scanners miss, without forcing teams to become full-time threat analysts.