tag-security icon indicating copy to clipboard operation
tag-security copied to clipboard

Published 20 hours ago verified publisher icon cncf

[Suggestion] Analysis of SSCP on SLSA

Open lumjjb opened this issue 3 years ago • 3 comments
trafficstars

Description:

Understand the coverage of Secure Supply Chain Best Practices Paper (SSCP) in SLSA, and make recommendations on improvements to either SSCP or SLSA, or provide guidance on coverage of controls outside SLSA.

Impact: Understand gaps in today's tools in Software Supply Chain and provide recommendations to bolster supply chain security efforts.

Scope: Probably a month of analysis and discussion and another month of discussing and writing guidance, and a month of review and wrap-up.

TO DO

  • [ ] Security TAG Leadership Representative:
  • [ ] Project leader(s):
  • [ ] Project Members:
  • [ ] Fill in addition TODO items here so the project team and community can see progress!
  • [ ] Scope
  • [ ] Deliverable(s)
  • [ ] Project Schedule
  • [ ] Slack Channel (as needed)
  • [ ] Meeting Time & Day:
  • [ ] Meeting Notes (link)
  • [ ] Meeting Details (zoom or hangouts link)
  • [ ] Retrospective

lumjjb avatar Jul 18 '22 14:07 lumjjb

There is the SLSA positioning working group/stream that is spinning up. Will update once the meeting times are figured out. Under the OpenSSF slack there is the #slsa-positioning channel

https://openssf.slack.com/archives/C03NSDSQJ92

mlieberman85 avatar Jul 21 '22 15:07 mlieberman85

I started a spreadsheet to map the SSCP to SLSA and other tooling to lay out which pieces of the supply chain are addressed by different pieces of tooling: https://docs.google.com/spreadsheets/d/1CzvnInT7QOmTOz20W5TiX8tJiG9XZvdqYA3TivLx-PI/edit#gid=0

Feedback and collaboration is welcome!

mnm678 avatar Jul 28 '22 15:07 mnm678

@mnm678 anything else we can help with Marina? Shared this in the working session today with group, fyi.

PushkarJ avatar Sep 21 '22 17:09 PushkarJ

@mnm678 anything else we can help with Marina? Shared this in the working session today with group, fyi.

Thanks! I opened #984 to extend the scope of this project a bit to cover not just SLSA, but other open source tools. If anyone would like to contribute to the spreadsheet based on knowledge of any supply chain security open source project, that would be very helpful!

mnm678 avatar Sep 27 '22 19:09 mnm678

This issue has been automatically marked as inactive because it has not had recent activity.

stale[bot] avatar Dec 24 '22 04:12 stale[bot]

Closing the issue due to inactivity. Task subsumed by Supply Chain WG.

anvega avatar Jul 31 '23 20:07 anvega