Open source forms the backbone of modern technology ecosystems. From orchestration and observability to frameworks and developer tools, today’s technology choices depend on projects we may not control but rely on every day.
The challenge: not all projects are equal. Some are maintained by large, diverse contributor bases. Others hinge on a handful of individuals. Some projects are responsive to security issues, while others leave risks unaddressed. Until now, it has been hard to see which projects are truly healthy.
That’s the gap LFX Insights is built to close.
What is Insights?
LFX Insights, developed by the Linux Foundation, helps organizations make informed decisions about the open source projects they depend on.
Instead of relying on surface-level metrics like GitHub stars, Insights helps you answer deeper questions such as:
- Is this project actively maintained?
- Is there a healthy mix of contributors and organizations?
- How quickly are issues and pull requests being resolved?
- Does the project follow good security and governance practices?
It gives you the information you need to select, adopt, and invest in open source projects with confidence.
Why Insights matters for end users
End users carry real risk when dependencies aren’t healthy. We’ve all seen the consequences: left-pad’s removal, the Log4Shell vulnerability, or the recent XZ backdoor attempt. These incidents underscore how fragile open source dependencies can become without visibility into project health.
Traditional signals like stars or package downloads don’t tell the whole story. What matters equally well as those “traction metrics” is the sustainability of contributors (individuals and organizations), the strength of governance, or the security posture of a project.
That’s where LFX Insights makes a difference. It acts as an early warning system, helping you identify projects that are thriving and avoid being blindsided by ones that may be at risk.
5 Key features for end users
LF Open Source Index
The LF Open Source Index provides a curated view of the world’s most critical open source projects. It ranks projects based on software value and contributor activity across key industry domains, helping organizations understand which technologies underpin their infrastructure. This makes it easier to see which technologies sit at the core of our infrastructure and how your stack compares.
Coverage beyond Linux Foundation projects
Insights now includes non-LF projects, extending visibility to the tools end users rely on most. These projects are identified using the OpenSSF Criticality Score, ensuring that actively maintained, widely used, and ecosystem-critical projects are visible regardless of where they’re hosted. Insights is expanding to include up to 10,000 additional non-LF projects over time. If you’re missing a critical project, you can submit and vote for it.
Project health score
Each project in Insights is assigned a Health Score, a weighted signal across four key dimensions:
- Contributors: Who is contributing on behalf of which company? (including leaderboards, contributor & organization dependency, etc)
- Popularity: How well is the project being adopted? (including package downloads, search queries, mailing list messages, etc)
- Development: How actively is the project being maintained? (including issue resolution, PR lead time, active days, etc)
- Security & Best Practices: Is the project following security & best practices? (supported by OSPS Baseline)
The score distills dozens of metrics into a single indicator — Critical, Unsteady, Stable, Healthy, or Excellent — allowing you to assess project health at a glance.
Contributor and organization attribution
Insights resolves contributor identities and affiliations, moving beyond GitHub handles to show which organizations are truly backing a project. This visibility helps end users assess diversity, governance, and potential risks when a single entity contributes the majority of work.
Report faulty or incomplete data
No dataset is perfect. That’s why Insights now includes a reporting mechanism for faulty or incomplete data. If you see misattributed contributors or incorrect information, you can flag it directly in the platform. This community feedback loop helps improve accuracy over time.
How you can use Insights
For CNCF end users, LFX Insights offers new ways to engage with open source projects responsibly:
- Dependency evaluation: Before adopting a project, check its Health Score, contributor diversity, and security posture.
- Risk monitoring: Track the health of critical dependencies you already rely on and catch warning signs early.
- Strategic engagement: Identify projects where your organization’s contributions could have the greatest positive impact, whether through engineering resources or governance participation.
Explore LFX Insights
In May 2025, the Linux Foundation relaunched LFX Insights with a streamlined design, improved transparency, and broader coverage. Today, it covers more than 15,000 repositories, with a roadmap to include all critical open source projects across ecosystems. LFX Insights continues to evolve with community input. Explore the platform, share feedback, and help strengthen the visibility and resilience of the open source ecosystem.
- LFX Insights
- Documentation
- GitHub repository (for discussions & opening issues)