Chop Wood, Carry Water

Minder by Stacklok is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what you’ve built is secure.

Frizbee is a command-line tool to help you increase the security of GitHub Actions by helping you pin actions to commit SHAs (or checksums). Pinning actions to commit SHAs—rather than tags, which can be moved—ensures that you’re always pointing to the same known-good version of the code. Frizbee also provides checksums for container images, and includes a set of libraries for working with tags and checksums.

Chat about Minder, Trusty, Secure Supply Chain, OSS, Sigstore, Frizbee and all our other projects! All our welcome, especially first-timers to OSS!

A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.

sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

Protobom is a project that offers a universal, format-neutral SBOM I/O layer designed to work with SBOM data in a unified way. The project frees developers from caring about the nuisance of ingesting and writing SBOMs.

The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.

OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX) that is designed to be minimal, compliant, interoperable, and embeddable.

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Keylime is an open source scalable trusty system. It provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and run-time system integrity monitoring. It also provides a flexible framework for the remote attestation of any given PCR (Platform Configuration Register). Users can create their own customized actions that will trigger when a machine fails its attested measurements.

A library that provides cryptographic and general-purpose functions for Go Secure Systems Lab projects at NYU.

libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language that supports C bindings.

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.

The Cloud Native Computing Foundation (CNCF) is the open source, vendor-neutral hub of cloud native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable.

The Knative Steering Committee (KSC) is responsible for the general health of the Knative community.