by the Open Source Security Foundation (OpenSSF)
If you develop or build software, here are some ready-to-go resources from the OpenSF to help you secure that software.
You can also see the full list of Guides released by the OpenSSF.
Use these to evaluate the OSS you intend to use and to evaluate how well your OSS project(s are doing.
Sigstore is a new and simpler approach for artifact signing and signature verification.
To learn more about the OpenSSF, please see the main OpenSSF website. From this website you can get information such as:
If you’re interested in helping us improve the security (including the supply chain security) of open source software, please get involved in the OpenSSF.
A good starting point would be to look at our list of OpenSSF working groups (WGs) to see what would interest you. You can click on its GitHub page to learn more about what they do and when they meet by video; you can also join their Slack channel and mailing list to participate in what they’re doing.
You can get involved with the OpenSSF in many ways. We would love to work together.