Create Supplemental Material for deeper dives and clarification

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

Other

179 stars 24 forks source link

Create Supplemental Material for deeper dives and clarification #24

Open adriandiglio opened 1 year ago

adriandiglio commented 1 year ago

Definition of Supplemental Material: A 1-2 page write up to provide clarification on certain scenarios.

Example list of initial Supplemental Guides:

How S2C2F applies to C/C++ OSS
How OSS consumers SHOULD use metadata (i.e. OSS Scorecard) to make their own risk-based policies for consumption
How S2C2F applies to Linux rpm/deb packages
How to securely configure package source files for ENF-1
Elaborate on validating provenance (AUD-1), to include validating SLSA provenance

jasminewang0 commented 1 year ago

Another supplemental guide example that came up was one about branch protections and approvals

joshuagl commented 5 months ago

It would be great to see some supplemental guidance around AUD-5 / Validate the author of your OSS.