Skip to content

Latest commit

 

History

History
49 lines (31 loc) · 3.68 KB

s2c2f_incubation_stage.md

File metadata and controls

49 lines (31 loc) · 3.68 KB
Raw

Project incubation application for Secure Supply Chain Consumption Framework (S2C2F)

It is the shared view of the S2C2F Technical Steering Committee that S2C2F meets the requirements of an Incubation project within the OpenSSF.

Lifecycle History of S2C2F within OpenSSF

The S2C2F was first contributed to OpenSSF in August 2022. It joined OpenSSF as a SIG within the Supply Chain Integrity WG. Upon contribution, a detailed IP policy and license review was performed. On Feb 1, 2024, the S2C2F graduated from a SIG to a Project with the adoption of a Technical Charter.

List of project maintainers

The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.

"adriandiglio", "Adrian Diglio", "Microsoft" "camaleon2016", "Jay White", "Microsoft" "tombedfordgit", "Tom Bedford", "Bloomberg" "jasminewang0", "Jasmine Wang", "Microsoft"

Mission of the project

The mission of the Secure Supply Chain Consumption Framework (S2C2F) project is to empower any software development team or organization across the industry with a clear framework to securely consume Open Source Software (OSS) dependencies into the developer's workflow to aid in mitigating risk against threats to OSS supply chain attacks and vulnerabilities.

Project adoption

  • "Most granular, and least ambiguous, is S2C2F, which provides real life examples. Love the maturity levels, so they can establish a baseline and build on it over time. S2C2F has so far been one of the more useful frameworks that they can adopt at scale everywhere. It helps describe things in a consistent way to non-technical folks, and has proven extremely useful. The existence of S2C2F has made what would have been a headache for my role, much simpler.” -Tom Bedford, Bloomberg
  • "Dell is using the S2C2F to build their plans to secure their open source supply chain." -Sarah Evans, Dell
  • CloudSmith is using the S2C2F to influence their product roadmap so that customers of CloudSmith meet S2C2F requirements just by using their product.
  • NSA Enduring Security Framework (ESF) published the Recommended Practices for Managing Open-Source Software and Software Bill of Materials, which references the S2C2F as an industry framework that aligns with their recommendations.
  • Book entitled Software Transparency: Supply Chain Security in an Era of a Software-Driven Society dedicates an entire chapter to S2C2F and its role to securing the supply chain.

Governance

TAC sponsor and Supply Chain Integrity WG Sponsor

  • "mlieberman85", "Michael Lieberman", "Kusari" is the TAC sponsor
  • "camaleon2016", "Jay White", "Microsoft" is the WG sponsor

Project References

Reference URL
Repo https://github.com/ossf/s2c2f
Contributing guide https://github.com/ossf/s2c2f/blob/main/Contributing.md
Roadmap https://github.com/ossf/s2c2f/blob/main/community/Roadmap.md
FAQ https://github.com/ossf/s2c2f/blob/main/FAQ.md
Meeting Notes https://docs.google.com/document/d/10Q_VOvKsGaYJoK-5yJY4868mTkYZjEo-6xV6ghYS84k/edit?usp=sharing