security-baseline
security-baseline copied to clipboard
ossf
Similar to the [FINOS Common Cloud Controls](https://github.com/finos/common-cloud-controls/blob/main/catalogs/core/ccc/threats.yaml), we should add a catalog of threats that we tie Baseline controls to. From there, we can validate the applicability of controls, including...
Most, perhaps all, of the legal requirements are not meaningfully attached to security threats. While they're all good things for projects to do, they seem out of scope for a...
I went through to checklist for a project and found myself thinking "haven't I answered this already" several times, in most cases this happened because a control build on an...
Does it mean "if there has ever been a release do X" or "for every release do X"? For some controls the former makes sense (e.g. OSPS-SA-03.02) while for other...
Reading the baseline entries, the "while active" items felt somewhat arbitrary (and unclear as to its meaning - EOL? Developers haven't done anything for 2 weeks?). For example, an inactive...
nit: I infer the git tag will follow the date schema? Directly or will it use the v convention to avoid starting with a digit? _Originally posted by @puerco in...
`oscal` command uses `out`. `compile` uses `output`. It's friendlier to the user if they match.
In support of #409, we can use KubeCon NA as a place to get people in the same room to start creating our list of threats.
**Addition Suggestion** CISA's new [proposed minimal sbom elements](https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom) shows they intend to require SBOMs contain licensing elements. I would recommend adding a 1st or 2nd level Baseline along the lines...
**Merger Suggestion 2** > _OSPS-LE-03.01_: While active, the license for the source code MUST be maintained in the corresponding repository's LICENSE file, COPYING file, or LICENSE/ directory. > _OSPS-LE-03.02_: While...