Fossier Registry

What is Fossier?

Fossier is a spam prevention system for open source GitHub repositories. Open source projects face increasing volumes of spam pull requests: AI-generated slop, Hacktoberfest spam, SEO link injection, and mass-produced low-effort PRs targeting popular repos.

Fossier evaluates PR authors automatically when a pull request is opened. Trusted and known contributors pass through instantly. Unknown contributors are scored across multiple signals to estimate spam probability. Legitimate first-time contributors get through; likely spam gets blocked best-effort. You can choose to enable auto-closing of PR's that contain commits co-authored by claude or other LLM's, and you can optionally enable using the global registry of spam reports and trusted maintainers to make your repository safer and help the open source ecosystem as a whole.

View the source on GitHub

How It Works

Trust Tiers

When a PR is opened, fossier classifies the author into a trust tier:

Tier	Source	Outcome
Blocked	VOUCHED.td denouncements, config blocked_users, global registry	Auto-close PR
Trusted	CODEOWNERS, GitHub collaborators, VOUCHED.td vouches, config trusted_users, trusted orgs	Auto-allow
Known	Previous contributors who passed scoring	Auto-allow
Unknown	None of the above	Run scoring algorithm

Scoring Algorithm

Unknown contributors are scored across 13 signals, each normalized to 0.0–1.0 and weighted to produce a composite score from 0 to 100:

Score	Outcome	Action
≥ 70	ALLOW	Record contributor as known, optionally label PR
40 – 69	REVIEW	Add label + post score breakdown comment
< 40	DENY	Post explanatory comment + close PR

The Global Registry

This site is the Fossier Global Registry — a shared database of spam reports contributed by fossier instances across many repositories. When a fossier instance denies a PR based on scoring, it can optionally report that contributor here.

Other fossier instances can then query the registry before scoring. If a contributor has 3 or more spam reports from different repositories, they are automatically blocked — no need to wait for signals to be collected and scored again.

This creates a network effect: every repository running fossier makes every other repository running fossier safer.

How to Connect

1. Register your repository on the home page
2. A maintainer reviews and approves your registration
3. You receive an API key
4. Add the registry to your fossier.toml:

   [registry]
   url = "https://registry.fossier.io"
   api_key = ""   # or set FOSSIER_REGISTRY_API_KEY env var
   report_denials = true
   check_before_scoring = true

Getting Started with Fossier

GitHub Action (Recommended)

Add to .github/workflows/fossier.yml:

name: Fossier PR Check
on:
  pull_request_target:
    types: [opened, synchronize]

permissions:
  pull-requests: write
  issues: write

jobs:
  check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: PThorpe92/fossier@main
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}

CLI

# Install
uv tool install git+https://github.com/pthorpe92/fossier.git

# Evaluate a contributor
fossier check octocat --repo owner/repo --pr 42

# View spam report for your repo
fossier report --repo owner/repo

# Initialize config files
fossier init

VOUCHED.td

Fossier uses a simple trust file called VOUCHED.td that you commit to your repository. Lines starting with + vouch for a user; lines starting with - denounce them.

# Core team
+ alice
+ bob

# Known spam accounts
- spammer123  SEO link injection in docs PRs
- slopbot     AI-generated mass PRs

Links

• GitHub Repository
• Report Issues
• MIT License