THIS REPO HAS BEEN CONTRIBUTED TO THE OPENSSF. THE NEW REPO IS HERE https://github.com/ossf/s2c2f/.
This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.
The OSS SSC Framework is complete with:
- A high-level solution-agnostic set of practices
- A detailed list of requirements
- A list of real-world supply chain threats specific to OSS, and how our Framework requirements mitigates them
- A maturity model-based implementation guide, with links to tools from across the industry
- A process for assessing your organization’s maturity
- A mapping of the Framework requirements to 6 other supply chain specifications
⭐: Click here for the PDF of the specification
: Click here to view the specification in markdown
The general Community Specification Contributing Policy is captured on the Contributing section. Specific guidelines based on the policy for how best to contribute to the OSS SSC Framework specification is here. The living OSS SSC Framework is captured in markdown and is where all updates will take place.
SLA to Triage Issues:
- The OSS SSC Framework working group will review, triage, and respond to issues during each Community Meeting.
Community and Technical Meetings:
-
OSS SSC Framework community meetings are held the 3rd Tuesday of every month @ 12:00 PM Pacific. Please click the iCal Subscription link above or email adrian.diglio@microsoft.com to be added to the meeting invitation.
Technical Meetings:
- OSS SSC Framework technical meetings are held the last Monday of every month @ 2:00 PM Pacific. Please click the iCal Subscription link above or email adrian.diglio@microsoft.com to be added to the meeting invitation.
Chat channels:
- We have a Slack channel on the OpenSSF Slack instance:
