New parliament 1.5.0 release. Checks added for: - Single value condition too permissive (confusing IAM detail of ForAllValues), 🙏 patrobinson. See docs.aws.amazon.com/IAM/latest/Use… - Resource effectively *. 🙏 raghavkaul github.com/duo-labs/parli…

We've integrated sigstore support for container image signing into the GitHub Actions starter workflow, so that developers can sign their container images by default. Check out the details! github.blog/2021-12-06-saf…

This was a fun collaboration with the GitHub Docs team! Let us know what other security topics you'd like to see guides for.

No new emoji flags, based on this post from the Unicode Emoji Subcommittee Chair (which has to be one of the best job titles I've ever heard): blog.unicode.org/2022/03/the-pa… cc 99 Percent Invisible Brady Haran CGP Grey 🐝

Want to use GitHub-hosted Actions runners, but need to access resources on your private network? You’re in luck! We’ve documented 3 ways to do it ⬇️. github.co/3NbDkJE

Want to secure your builds, in the cloud, without scattering API keys everywhere? Come see my talk in ~25 minutes: youtube.com/watch?v=YHZdkp… or see my slides after at coffeehousecoders.org/blog/cloud_bui… #fwdcloudsec

Extremely excited about this. The npm team has been collaborating with GitHub's package security team for months putting together an RFC to improve the audibility and trust of npm packages using SigStore and trusted build infrastructure github.blog/2022-08-08-new…

Really loving all the excitement about npm and sigstore today. Thanks Lily Hay Newman for interviewing Dan Lorenc and I on it today! wired.com/story/github-c…

Why is the sigstore GA a big deal for developers? Zach Steindler breaks it down for you. github.blog/2022-10-25-why…

✍️ Sigstore project announces general availability and v1.0 releases Two of sigstore foundational projects, Fulcio and Rekor, published v1.0 releases as well Zach Steindler on why GitHub is excited github.blog/2022-10-25-why… By Dave Lester, Bob Callaway opensource.googleblog.com/2022/10/sigsto…

🗒️ gh-sbom A gh CLI extension that outputs JSON SBOMs (in SPDX or CycloneDX format) for your GitHub repository github.com/advanced-secur…

Today we're proud to announce the release of version 1.0 of SLSA 🎉 Supply-chain Levels for Software Artifacts is an OpenSSF project that provides specifications for software supply chain security, established by community expert consensus. #OSSecurity

Big day for open source security! npm worked with the open source project Sigstore to put together a beta of provenance, verifiably tying npm packages back to their source code and build instructions: github.blog/2023-04-19-int…

Last week was a big one for open source security: - slsa.dev/blog/2023/04/s… - github.blog/2023-04-19-int… - blog.pypi.org/posts/2023-04-… ... and yet, there's so much more to do. I'm excited to serve on the 2023 OpenSSF TAC!

We Want to Hear from You 🔊👂➡️ Take the OpenSSF Software Security Awareness Survey openssf.org/blog/2023/05/1…

An important update on our efforts to secure PyPI with multi-factor authentication: blog.pypi.org/posts/2023-05-…

Looking at push activity is so much better than individual commits. Pushes are authenticated, unlike commit author identity. Looking at pushes you can more easily verify security practices, like requiring reviews (see slsa.dev/spec/v1.0/futu…). Excited to see where this goes!