security-baseline
security-baseline copied to clipboard
ossf
From the 2025-11-25 meeting: @eddie-knight would like control objectives to focus more on objectives and less on defining requirements. Example: > "Ensure that there is no MITM modification of assets...
As discussed in the 2025-11-25 meeting. In my opinion, if projects with only a single repository don't need to do anything (e.g. no security-insights or SBOM) to indicate that status,...
As discussed in the 2025-11-25 meeting and on Slack. The BR-01 controls was originally lifted from the [Scorecard `Dangerous-Workflow` check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow). When this control was refactored into assessment criteria, we ended...
as I stated in https://github.com/ossf/security-baseline/pull/427/files#r2565105191, when doing these mappings, I'd sort them into COMPLETE (coverage), PARTIAL (Coverage), SUPPORTS (as I feel the case is here), or N/A NONE (does not...
Added UKSSCOP reference IDs and claims to multiple sections. Dependent upon merge of #426 BR mappings to UKSSCOP framework
Added new reference IDs under UKSSCOP and updated existing ones. Dependent upon merge of #426 QA mappings to UKSSCOP framework
Added UKSSCOP reference IDs and claims to multiple sections. Dependent upon merge of #426 VM mappings to UKSSCOP framework
Dependent upon merge of https://github.com/ossf/security-baseline/pull/426 AC mappings to UKSSCOP framework
As discussed in the 2025-11-25 meeting, correct the recommendation for OSPS-BR-03.02.
The checklist contains various controls for which either - I don't know if it's the case (e.g. OSPS-AC-01.01 and OSPS-AC-02.01) where it would be helpful if you could tell me...
