Giter VIP home page Giter VIP logo

s2c2f-attestation-schema-and-tool's Introduction

S2C2F Attestation Schema and Tool

secure package icon

This project is initiated by the OpenSSF Supply Chain Integrity Working Group, S2C2F SIG, as part of the 2023 Microsoft Global Hackathon. The scope of this effort is to use NIST OSCAL as the machine-reable schema, and producing a GitHub compatible tool that analyzes a GitHub repo for meeting Secure Supply Chain Consumption Framework (S2C2F) requirements and outputs the results in OSCAL format.

Motivation

Building a tool that captures the security configuration of the development environment for a specific software project against a set of requirements (such as S2C2F) and outputs the results in machine-readable format (OSCAL) is the future of software transparency.

Objective

This tool is being developed to provide a way to use GitHub Actions to assess a GitHub repo's implementation of S2C2F control requirements up to Maturity Level 2, and outputting the results in a machine-readable JSON file in OSCAL format.

Scope

  1. Finalize S2C2F requirements for the project
  2. Create an OSCAL format catalog model in JSON/XML
  3. Validate the JSON/XML Model
  4. Test tool on an Open Control Repo
  5. Read JSON XML and perform gap analysis against the catalog model
  6. Requirements for attestation are defined based on gap analysis

Quick Start

  • Create Issues to track Feature requests
  • Pull requests are monitored in real time

Meeting times

  • Meetings are in alignment with current S2C2F SIG Meeting times.

Governance

The CHARTER.md outlines the scope and governance of our group activities.

[OPTIONAL]

  • Adrian Diglio
  • Jay White

Intellectual Property

In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

s2c2f-attestation-schema-and-tool's People

Contributors

adriandiglio avatar anandchugh avatar camaleon2016 avatar hythloda avatar sharonfinden avatar yogitasrivastava avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

xee5ch

s2c2f-attestation-schema-and-tool's Issues

Build tool that integrates with GitHub

Build a tool that assesses the configuration of a GitHub project (whether it's public or private) and can output an OSCAL file that attests to that project's conformance with S2C2F Maturity Level 2 requirements.

Please adopt OpenSSF Security Insights for this project

Hello from the OpenSSF Security Insights team!

Security Insights is a specification for expressing security-relevant metadata about a project in a machine-readable format. It allows you to express things like where a project is in its lifecycle, what kind of security tools are used, and whether you want to accept automated pull requests. It complements Scorecard metrics by focusing on things that often can’t be found by analyzing repository contents.

As part of our launch, we’d like to see OpenSSF adopt the Security Insights specification across our code projects. This is as simple as adding a SECURITY-INSIGHTS.yml file to your repository root. The entire process should take less than 10 minutes. The full specification is located https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md.

If you have questions about the Security Insights specification or this request, feel free to reach out to us on slack (#security_insights_spec) or open an issue in our repository (ossf/security-insights-spec).

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.