Fossier Registry

Fossier

What is Fossier?

Fossier is a spam prevention system for open source GitHub repositories. Open source projects face increasing volumes of spam pull requests: AI-generated slop, Hacktoberfest spam, SEO link injection, and mass-produced low-effort PRs targeting popular repos.

Fossier evaluates PR authors automatically when a pull request is opened. Trusted and known contributors pass through instantly. Unknown contributors are scored across multiple signals to estimate spam probability. Legitimate first-time contributors get through; likely spam gets blocked best-effort. You can choose to enable auto-closing of PR's that contain commits co-authored by claude or other LLM's, and you can optionally enable using the global registry of spam reports and trusted maintainers to make your repository safer and help the open source ecosystem as a whole.

Why should I trust the registry?

Maintainers who can actually submit spam reports are essentially hand-chosen by Fossier admins: Only medium to large established repositories with a history of good-faith maintenance are approved. The registry is designed to be conservative, prioritizing false positives over false negatives, and only blocks users with multiple independent spam reports. You can also choose to use the registry for scoring but not auto-blocking, or to ignore it entirely if you prefer.

View the source on GitHub

How It Works

Trust Tiers

When a PR is opened, fossier classifies the author into a trust tier:

TierSourceOutcome
Blocked VOUCHED.td denouncements, config blocked_users, global registry Auto-close PR
Trusted CODEOWNERS, GitHub collaborators, VOUCHED.td vouches, config trusted_users, trusted orgs Auto-allow
Known Previous contributors who passed scoring Auto-allow
Unknown None of the above Run scoring algorithm

Scoring Algorithm

Unknown contributors are scored across 15 signals, each normalized to 0.0–1.0 and weighted to produce a composite score from 0 to 100:

Account Age Days since GitHub account creation
Contribution History Public repos + gists as activity proxy
Closed PRs Elsewhere Mass-PR spam signal
Public Repos Number of public repositories
Open PRs Elsewhere High count = mass-PR spam signal
Prior Interaction Has issues/comments on this repo
PR Content Files changed: docs-only, code, tests
Follower Ratio Followers / following ratio
Bot Signals Username patterns, API type field
Commit Email Public email, disposable domain detection
PR Description Title/body quality, AI-slop indicators
Repo Stars Popular repos attract more spam
Org Membership Public GitHub organization memberships
Commit Verification GPG/SSH signed commits
Contributor Stars Total stars across contributor's own repos
ScoreOutcomeAction
≥ 70ALLOWRecord contributor as known, optionally label PR
40 – 69REVIEWAdd label + post score breakdown comment
< 40DENYPost explanatory comment + close PR

The Global Registry

This site is the Fossier Global Registry — a shared database of spam reports contributed by fossier instances across many repositories. When a fossier instance denies a PR based on scoring, it can optionally report that contributor here.

Other fossier instances can then query the registry before scoring. If a contributor has 3 or more spam reports from different repositories, they are automatically blocked — no need to wait for signals to be collected and scored again.

This creates a network effect: every repository running fossier makes every other repository running fossier safer.

How to Connect

  1. Register your repository on the home page
  2. A maintainer reviews and approves your registration
  3. You receive an API key
  4. Add the registry to your fossier.toml: 
    [registry]
url = "https://registry.fossier.io"
api_key = ""   # or set FOSSIER_REGISTRY_API_KEY env var
report_denials = true
check_before_scoring = true

Getting Started with Fossier

GitHub Action (Recommended)

Add to .github/workflows/fossier.yml:

name: Fossier PR Check
on:
  pull_request_target:
    types: [opened, synchronize]

permissions:
  pull-requests: write
  issues: write

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: PThorpe92/fossier@main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

Bulk Scan Workflow (workflow_dispatch)

Run fossier init to generate a fossier-scan.yml workflow that you can trigger manually from the Actions tab. It evaluates all open PRs at once — closing spam, labeling borderline PRs for review, and passing trusted contributors through.

You can also run it locally if you have the gh CLI authenticated: 

# Scan all open PRs (dry run — just prints results)
fossier scan --format table --dry-run

# Scan and take action (close spam, label reviews)
fossier scan --execute

CLI

# Install
uv tool install git+https://github.com/pthorpe92/fossier.git

# Evaluate a contributor
fossier check octocat --repo owner/repo --pr 42

# Manually reject a contributor (denounces locally + reports to global registry)
fossier reject spammer123 --reason "SEO link spam in docs PRs" --pr 42

# Denounce locally only (adds to VOUCHED.td, does not report to registry)
fossier denounce spammer123 --reason "Known spam account"

# View spam report for your repo
fossier report --repo owner/repo

# Initialize config files (creates fossier.toml, VOUCHED.td, and GitHub workflows)
fossier init

VOUCHED.td

Fossier uses a simple trust file called VOUCHED.td that you commit to your repository. Lines starting with + vouch for a user; lines starting with - denounce them. 

# Core team
+ alice
+ bob

# Known spam accounts
- spammer123  SEO link injection in docs PRs
- slopbot     AI-generated mass PRs

Links