This organization hosts repositories for various open source project developed by ANSSI.
Les francophones peuvent consulter la version originale de ce fichier.
ANSSI open source strategy is detailed on the website
The strategy recognizes three categories for the projects maintained by the agency:
- doctrinal projects
(
) sharing doctrinal elements or published alongwhile:
- technological demonstrators,
- reference implcementations,
- source code used to write a scientific paper or generate data (research artifacts),
- content exposing tangible recommandations from the Agency ("actionables").
- internal tools
(
): projects developed for an internal need and published for transparency reason or as a will to share resources useful to the cyber ecosystem.
- external tools
(
): tools shared with beneficiaries and partners (like CERTS), available directly or through services provided by the agency.
The strategy also classifies projects using an "openness level" based on the classification done by DINUM (French government OSPO)
- 📘 Level A - contributive
(
): source code is published, external contributions are actively seeked and handled.
- 📗 Level B - open
(
): source code is published, external contributions are handled but not actively seeked.
- 📙 Level C - published
(
): source code is published but external contributions aren't treated.
Doctrinal projects and internal tools are usually at level C while external
tools are at level B. Each project managers can elaborate (in a
CONTRIBUTING.md document) on the expectations this project contributors
should have.
While most ANSSI repositories are hosted in the ANSSI-FR organization, some of them are hosted in other places (grouped by topic, or for collaboration with other entities):
- DFIR-ORC (Github organization) is a set of digital forensics tools, especially used by the CERT when investigating incidents.
- FCSC-FR hosts repositories used for the French CyberSecurity Challenge CTF competition (2024 edition), including the Hackropole archive website)
The innovation lab also develops online services under the BetaGouv initiative. Those projects are hosted in the BetaGouv organization:
- Mon Service Sécurisé
- Mes Services Cyber
- Mon Aide Cyber
- Mon Espace NIS 2
- Mes Questions Cyber
- Demain Spécialiste Cyber
Since 2017, ANSSI has been conducting security assessments of open source software. These assessments may take two forms. They may involve submitting an open source software product to the process leading to the First Level Security Certification (CSPN), a French certification scheme that is part of ANSSI’s Security Visa framework. Alternatively, they may consist of tailored security audits, which do not result in the issuance of a Security Visa but are intended to provide cybersecurity professionals with an assessment of the robustness of an open source software product, in order to support their operational activities (information system accreditation process, risk analyses, etc.).
List of open source software security assessments funded by ANSSI (in french)
Contact policy depends on each project and can be explicited in the README,
CONTRIBUTING, SECURITY or CONTACT file in each repository. It is also
usually possible to open issues or merge requests, each project beeing free to
handle them as they see fit (and explained in the CONTRIBUTING file).
The ANSSI open source program office can be reached using the opensource@ssi.gouv.fr mail address but no support will be provided.
For any other request, readers can use the Contact page on ANSSI website.
In case of cyber incident, please contact CERT-FR.
A number of older projects aren't maintained anymore but are available for reference:
- archived repository list
- Wookey Github organization)
- LEIA (Lab Embedded ISO7816 Analyzer A Custom Smartcard Reader for the ChipWhisperer)
- CLIP OS (Github organization and archives) was a Linux-based hardened operating system targeting multi-level environments.