s2c2f
s2c2f copied to clipboard
ossf
The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to secu...
Investigate OpenSSF processes through the TAC (something like GitHub Pages) that we can publish our own site for S2C2F, and choose a domain name (such as s2c2f.io).
Is it strictly required that UPD-3 be part of a PR workflow, or is it better to make this requirement more general so that developers are made aware of known...
From the discussion in issue #48: > SCA-5 is about running tools to search for yet-to-be-discovered > security issues. Attempt to bring greater clarity to the requirement by changing the...
SCA-5 "Identify zero-day vulnerabilities and confidentially contribute fixes back to the upstream maintainer" is a very proactive measure requiring a high-level of infrastructure, knowledge and upstream engagment. My interpretation of...
When thinking about S2C2F adoption I found myself wanting to easily understand at what level of maturity the different common OSS supply chain threats would be mitigated. I thought this...
None of the example threats in the Common OSS Supply Chain Threats section of the document are mitigated by maturity level 1, which might lead people to think that initial...
The maturity graphic is an excellent overview of the practices recomemnded at each maturity level. It could be even more useful for helping folks navigate and orient to the specififcation...
**Definition of Supplemental Material:** A 1-2 page write up to provide clarification on certain scenarios. Example list of initial Supplemental Guides: - How S2C2F applies to C/C++ OSS - How...
provided a little more generality and less branding to the framework intro.
Ensure TAC is aware that S2C2F is stable, and also make TAC aware of possible opportunities to have SLSA join the international standardization alongside the S2C2F.