.GitHub's new Artifact Attestations feature uses sigstore to generate and verify signed attestations for anything made with Actions. 👏👏 We've added support in Minder to use the contents of signed attestations for enhanced security policies: stacklok.com/blog/unlocking…

Great post that explains why signatures and attestations matter for software security. For example, sigstore can create tamper-proof paper trails linking an artifact back to CI. (And thx for the shout-out about our work to help operate sigstore's public good instance!)

OSS: Where an idea you have in the midst of the lockdown from your shed come office, ends up securing huge swathes of the software. Nice to see stacklok get a nod towards efforts put into helping run the sigstore public infra along with maintaining the code itself.

For #opensource maintainers with projects spanning 20+ repos, it's often manual and time-consuming to manage repo configuration. We built a policy template in Minder to automate this—you can customize it and apply it to your repos for free: cloud.stacklok.com

Great piece, Francis ! Thanks for featuring us.

Defining A Software Supply Chain Security Platform & Exploring New Techniques, Part 2, by yours truly ft Francis including:
- Attacks in the wild
- Secrets
- Dev Sec Workflows
- Next-gen SCA

S/O GitGuardian stacklok Backslash Security for 🤝

open.substack.com/pub/softwarean…

I got some questions about protobom during Open Source Summit from Help Net Security , here's the write up.

I've only added one rule in Minder by stacklok and it's already finding stuff.

Craig McLuckie from #Stacklok gives a keynote about navigating supply chain risk in a world of #AI assisted developers, LIVE at #ossummit .

View the schedule: events.linuxfoundation.org/open-source-su…
#opensource

(2/2) Our second announcement: Minder Cloud!

Having high-quality intelligence about open source packages is only as useful as an organization’s or a community’s ability to drive policies that shape developer behavior. That’s why we launched the open source software security…

(1/2) 👋 We made some big announcements today at the #OSSummit . Here's the first.

Today, we're introducing the OSS Trust Graph, a way to model trust in #opensource ecosystems. It maps the connections between open source contributors and projects, and, through our…

Keynote with Craig McLuckie #ossummit Managing Supply Chain Risk in a World of AI Assisted Developers stacklok

Since ChatGPT, “the number of hostile open source packages has gone through the roof” —stacklok’s Craig McLuckie. These hostile actors threaten to “undermine the trust in open source.” #OSSummit

#heptio 🎉
A bunch of which are now working on stacklok

Definitely keep an eye on what’s happening there!

We're at #OSSummit this week! Stop by our booth in the Solutions Showcase to say hi and catch a demo of new Minder capabilities. (And grab some new socks 🙂 )

And don't miss Craig McLuckie 's keynote on Weds at 10:20; he'll be talking about AI security and announcing some new…

We're excited to see the open source Protobom project, originally created by Stacklok engineer puerco , officially launching today through a partnership with CISA, OpenSSF, and the Dept of Homeland Security.

SBOMs can be complex to use, because they have multiple data formats…

Hayden Blauzvern from Google's open source security team discusses how Sigstore is prioritizing package managers as the main avenue for Sigstore adoption.
Learn more about Sigstore: openssf.org/projects/sigst…
#SOSSCommunity

I'm looking forward to attending Open Source Summit NA this week. I'll be at the stacklok booth, so swing by to say hi and learn about some new bits we'll be demoing.
#OSSummit The Linux Foundation

What's up dog, I mean Marmot.