🔥Telegram İfşa

Excited to welcome another builder to higher SLSA level compliance. Check out the #SLSA community blog post going into the details on how Google Cloud build can help you with SLSA L3 compliance - slsa.dev/blog/2022/12/g…

Announcing OSV-Scanner: a tool that gives OSS developers easy access to vulnerability info relevant to their project using OSV.dev DB (16 ecosystems, 39K+ vulns). Also, integrated with Scorecards vulns check to give vulns in dependencies - security.googleblog.com/2022/12/announ…

Nice way to earn glory for your fuzzer and more importantly 11k!

Thanks GitHub for featuring theopenssf Scorecard project on ReadME blog-"In Scorecard we trust" by NAVEEN KUMAR S(Endor) & Brian Russell(GOSST)."If you’re looking to start improving your software supply chain security, adopting Scorecard is a great first step" github.com/readme/guides/…

deps.dev will now show SLSA provenance info for npm packages! Understanding where your dependencies come from is the first step towards improving the supply chain security of your projects. Great job deps.dev team! blog.deps.dev/npm-provenance/

The theopenssf SLSA Tooling SIG is happy to announce the beta of the Node.js builder that achieves SLSA Build L3 for npm packages! This has been a great collaboration with npm & GitHub to further enhance the supply chain security of the npm ecosystem. slsa.dev/blog/2023/05/b…

Each dep brings others. Understanding the supply chain is as difficult as understanding universe. Now we have a telescope: GUAC reaches its v0.1 release. Find more on Google's security blog and come and join us in solving swaths of supply chain problems: security.googleblog.com/2023/05/announ…

Reminder: The call for papers/talks for the 2nd ACM SCORED workshop on SW Supply Chain security is open until June 30! Security-in-practice talks and short research papers welcome! Call for papers/talks: scored.dev/call_for_paper… Submission site: scored2023.hotcrp.com

The deadline for the SCORED'23 workshop on software supply chain security is in about 2 weeks. That's enough time to put together a nice submission! scored.dev/call_for_paper…

Excited to announce a new SLSA builder I've been working on with Google's Project Oak that helps enable a transparent release process in Confidential Computing! security.googleblog.com/2023/06/bringi… Razieh Behjati 🇮🇷

5 days left to submit your papers or security-in-practice talks to the SCORED ‘23 workshop!

Join us for the first SLSA Bay Area meet-up on Nov 16 in SF. You'll learn about the latest news on the #slsa standard for supply-chain and how to use it to secure your SDLC and AI pipelines. Register and propose a talk tinyurl.com/bay-area-meetu…

second, Google is expanding our open source security work with the OpenSSF by releasing new tools to protect the overall integrity of AI supply chains. (3/3) Sigstore for Models and Model Provenance. github.com/google/model-t…

Excited to announce the big milestone on #OSV: We have now enriched 30K vulns from NVD CVE DB and added first-class support for C/C++ ecosystem inside OSV-Scanner. Check out osv.dev/blog/posts/int…! One-stop community DB and scanner for all your OSS vulnerability scanning needs!

Tomorrow at 5pm PT! 📅 Sign up for the SLSA Bay Area meetup hosted by Google and GitHub and hear Tidelift (now Sonar) co-founder Luis Villa discuss Trusted Attestation and Compliance for Open Source (TACOS) 🌮 bit.ly/3umB0L5

Refining our notion of "critical projects" by augmenting the dependency graph with authorship information blog.deps.dev/combining-depe… What other insights can we glean with dependency and git information? Let us know if you have ideas!

Why SBOMs for OSS (package) libraries can't report accurate information about dependencies blog.deps.dev/zillions-of-sb…

Announcing the general availability of the V3 deps.dev API (All your OSS transitive dependencies belong to you!). Lot of new features like batch support, purl support, querying capabilities for new things like name similarity, SLSA attestations, etc! Check it out

Amazing community collaboration: GitHub's Dependency review action now supports displaying and blocking PRs based on OpenSSF scorecard results github.com/actions/depend…

Discover the power of Structured Results in the #OpenSSF blog: hubs.la/Q02t84mF0 Tailor your security approach with detailed insights for precise policy enforcement. 🛡️✨