Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .ruby-version
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
3.3.11
954 changes: 954 additions & 0 deletions _data/architecture_records.yml

Large diffs are not rendered by default.

61 changes: 61 additions & 0 deletions _data/artifacts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# OpenSSF output formats (SLSA Provenance, SBOM, VEX, ...). Each
# entry maps to /artifacts/<id>/. Imported from sibling research catalog.

- id: in-toto-attestation
name: "in-toto Attestation"
url: https://github.com/in-toto/attestation
description: >-
The signed-envelope format that SLSA Provenance and other supply-chain attestations ship in. Defines the predicate/statement structure and signature wrapper used by every conforming attestation.
sdlc_stages: []
supply_chain_actors: []
categories: ["specification"]

- id: osv-record
name: "OSV Record (vulnerability record format)"
aliases: ["OSV Record"]
url: https://ossf.github.io/osv-schema/
description: >-
The serialised vulnerability-record format produced by OSV-aligned databases (osv.dev, GHSA, PyPA, Go vuln DB) and consumed by vuln scanners and SCA tools. Distinct from the `osv-schema` project, which is the authoring effort defining the f…
sdlc_stages: ["dependencies"]
supply_chain_actors: ["software-consumer"]
categories: ["data-source", "specification"]

- id: sarif
name: "SARIF"
aliases: ["Static Analysis Results Interchange Format"]
url: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
description: >-
An OASIS standard JSON format for representing static analysis tool results. Consumed by code-scanning UIs (e.g. GitHub Code Scanning) and produced by linters, scanners, and policy tools such as Scorecard.
sdlc_stages: ["source"]
supply_chain_actors: ["software-producer"]
categories: ["specification"]

- id: sbom
name: "Software Bill of Materials"
aliases: ["SBOM"]
url: https://www.cisa.gov/sbom
description: >-
A machine-readable inventory of the components contained in a software artifact. Multiple authoritative formats exist (CycloneDX, SPDX); this record models the SBOM concept itself rather than any single format.
sdlc_stages: ["consumer", "distribution"]
supply_chain_actors: ["software-consumer", "software-distributor"]
categories: ["specification"]

- id: slsa-provenance
name: "SLSA Provenance"
url: https://slsa.dev/spec/v1.0/provenance
description: >-
Cryptographically attested record of how a software artifact was built, including the build platform identity, source revision, build parameters, and the resulting artifact digest.
sdlc_stages: ["build"]
supply_chain_actors: ["software-producer"]
categories: ["specification"]

- id: vex
name: "Vulnerability Exploitability eXchange"
aliases: ["VEX"]
url: https://www.cisa.gov/resources-tools/resources/vulnerability-exploitability-exchange-vex-use-cases
description: >-
A machine-readable statement asserting whether a known vulnerability affects a given software artifact (and under what conditions). Pairs with SBOM and OSV records to reduce false-positive vuln signal.
sdlc_stages: ["consumer"]
supply_chain_actors: ["software-consumer"]
categories: ["specification"]

42 changes: 42 additions & 0 deletions _data/categories.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Category enum (mirrors feature 005's 8-value enum).

- id: specification
name: "Specification"
description: >-
A normative document defining an interface, format, or process.

- id: tooling
name: "Tooling"
description: >-
An executable tool, library, or CLI that does work for a user.

- id: best-practices
name: "Best Practices"
description: >-
Curated guidance and frameworks for adoption (not a normative spec).

- id: framework
name: "Framework"
description: >-
A coordinated bundle of guidance, tooling, and processes — broader than a single spec.

- id: service
name: "Service"
description: >-
A hosted offering — connect to rather than install.

- id: data-source
name: "Data Source"
description: >-
A maintained dataset other tooling consumes.

- id: education
name: "Education"
description: >-
Materials whose primary product is human learning.

- id: governance
name: "Governance"
description: >-
Cross-cutting governance, risk, compliance, advocacy, or policy work.

4 changes: 4 additions & 0 deletions _data/navigation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,9 @@
url: /problems/
- title: Projects
url: /projects/
- title: Artifacts
url: /artifacts/
- title: Architecture
url: /architecture/
- title: About
url: /about/
115 changes: 115 additions & 0 deletions _data/projects.yml
Original file line number Diff line number Diff line change
Expand Up @@ -525,3 +525,118 @@
- sigstore
compatible_with:
- rstuf
# Append these to community/_data/projects.yml.
# Imported from sibling research catalog 2026-06-28.

- id: bomctl
name: "Bomctl"
url: https://openssf.org/projects/bomctl/
description: >-
Bridges the gap between SBOM generation tools and SBOM analysis/consumption tools, providing format-aware SBOM manipulation.
personas: []
problems: []

- id: fuzz-introspector
name: "Fuzz Introspector"
url: https://openssf.org/projects/fuzz-introspector/
description: >-
Improves the fuzzing experience for projects by providing visibility into fuzzer coverage and reachability.
personas: []
problems: []

- id: fuzzingbrain
name: "FuzzingBrain"
url: https://docs.google.com/document/d/1OxjsWHO2v8SfzG4KkqyJEAy8yn1GA1yjgN7QCm6q85Q/edit
description: >-
An OSSF project approved by the TAC and currently in LF legal formation; public documentation is not yet available, so scope and classification are provisional.
personas: []
problems: []

- id: gemara
name: "Gemara"
url: https://openssf.org/projects/gemara/
description: >-
Models categorical layers of automated governance activities, providing a framework for expressing security and compliance controls in a machine-readable way.
personas: []
problems: []

- id: gittuf
name: "gittuf"
url: https://openssf.org/projects/gittuf/
description: >-
Applies TUF-style signing and metadata to Git repositories to protect repository contents from unauthorized or malicious changes.
personas: []
problems: []

- id: in-toto
name: "in-toto"
url: https://in-toto.io/
description: >-
A framework for cryptographically attesting supply-chain steps. Defines the in-toto attestation envelope that SLSA Provenance and other signed-statement formats ship in.
personas: []
problems: []

- id: openssf-model-signing
name: "OpenSSF Model Signing"
url: https://openssf.org/projects/model-signing/
description: >-
Provides a library and CLI for signing and verifying machine-learning models, extending supply-chain integrity practices to AI artifacts.
personas: []
problems: []

- id: oss-crs
name: "OSS-CRS"
url: https://openssf.org/projects/oss-crs/
description: >-
A framework for LLM-based bug-finding and bug-fixing systems applied to open source software, exploring autonomous vulnerability discovery and remediation.
personas: []
problems: []

- id: package-analysis
name: "Package Analysis"
url: https://openssf.org/projects/package-analysis/
description: >-
Dynamically and statically analyzes packages from open source package registries to detect malicious behavior such as credential exfiltration and backdoors.
personas: []
problems: []

- id: sbomit
name: "SBOMit"
url: https://openssf.org/projects/sbomit/
description: >-
A format-independent component-attestation method that ties SBOM contents to verifiable build-time observations, improving SBOM trustworthiness.
personas: []
problems: []

- id: secure-agentic-framework
name: "Secure Agentic Framework"
url: https://docs.google.com/document/d/1OxjsWHO2v8SfzG4KkqyJEAy8yn1GA1yjgN7QCm6q85Q/edit
description: >-
An OSSF project approved by the TAC and currently in LF legal formation; public documentation is not yet available, so scope and classification are provisional.
personas: []
problems: []

- id: slsa-github-generator
name: "slsa-github-generator"
url: https://github.com/slsa-framework/slsa-github-generator
description: >-
Reference implementations of SLSA Level 3 build provenance generators for GitHub Actions. Produces signed in-toto attestations bound to the builder identity per the SLSA build track.
personas: []
problems: []

- id: slsa-verifier
name: "slsa-verifier"
url: https://github.com/slsa-framework/slsa-verifier
description: >-
Reference implementation of the SLSA Provenance verifier. Consumes signed in-toto attestations, validates the builder identity, and enforces SLSA build-level expectations on incoming artefacts.
personas: []
problems: []

- id: zarf
name: "Zarf"
url: https://openssf.org/projects/zarf/
description: >-
Enables continuous software delivery onto air-gapped, disconnected, or otherwise constrained systems by bundling applications and their dependencies into portable packages.
personas: []
problems: []

33 changes: 33 additions & 0 deletions _data/sdlc_stages.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Canonical SDLC stage enum (matches the SLSA stage taxonomy with a
# producer prefix for the engineer's workstation).

- id: producer
name: Producer
description: >-
The engineer and their workstation — local tooling, dev environment, identity hygiene.

- id: source
name: Source
description: >-
The source repository and the SCM platform that hosts it.

- id: build
name: Build
description: >-
The CI/CD platform and the project's build configuration.

- id: distribution
name: Distribution
description: >-
The artifact registry and the project's published artefacts.

- id: consumer
name: Consumer
description: >-
The end-user environment and the project as it runs downstream.

- id: dependencies
name: Dependencies
description: >-
The recursive supply-chain loop — every consumer is also a producer.

62 changes: 62 additions & 0 deletions _data/sidebar.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,5 +74,67 @@
url: /projects/sigstore/
- title: SLSA
url: /projects/slsa/
- title: bomctl
url: /projects/bomctl/
- title: Fuzz Introspector
url: /projects/fuzz-introspector/
- title: FuzzingBrain
url: /projects/fuzzingbrain/
- title: Gemara
url: /projects/gemara/
- title: gittuf
url: /projects/gittuf/
- title: in-toto
url: /projects/in-toto/
- title: OpenSSF Model Signing
url: /projects/openssf-model-signing/
- title: OSS-CRS
url: /projects/oss-crs/
- title: Package Analysis
url: /projects/package-analysis/
- title: SBOMit
url: /projects/sbomit/
- title: Secure Agentic Framework
url: /projects/secure-agentic-framework/
- title: slsa-github-generator
url: /projects/slsa-github-generator/
- title: slsa-verifier
url: /projects/slsa-verifier/
- title: Zarf
url: /projects/zarf/
- title: Browse by Artifact
url: /artifacts/
children:
- title: in-toto Attestation
url: /artifacts/in-toto-attestation/
- title: OSV Record
url: /artifacts/osv-record/
- title: SARIF
url: /artifacts/sarif/
- title: SBOM (Software Bill of Materials)
url: /artifacts/sbom/
- title: SLSA Provenance
url: /artifacts/slsa-provenance/
- title: VEX (Vulnerability Exploitability eXchange)
url: /artifacts/vex/
- title: Browse by Architecture View
url: /architecture/
children:
- title: SLSA v1.2 Threats × OSSF Coverage
url: /architecture/slsa-threats/
- title: Secure Production (producer pillar)
url: /architecture/secure-production/
- title: Secure Distribution (distributor pillar)
url: /architecture/secure-distribution/
- title: Secure Consumption (consumer pillar)
url: /architecture/secure-consumption/
- title: Stewardship (other / governance pillar)
url: /architecture/stewardship/
- title: Overview — full catalog
url: /architecture/overview/
- title: TAC summary
url: /architecture/tac-summary/
- title: Architecture gaps
url: /architecture/gaps/
- title: About
url: /about/
24 changes: 24 additions & 0 deletions _data/supply_chain_actors.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Canonical supply-chain actor enum. Distinct from the existing
# `personas` list (which is end-user-role-based); these are
# supply-chain position-based.

- id: software-producer
name: "Software Producer"
description: >-
Maintainers, contributors — the humans and orgs producing software.

- id: software-distributor
name: "Software Distributor"
description: >-
Package forges, source forges, registries — the systems that move software.

- id: software-consumer
name: "Software Consumer"
description: >-
Manufacturers, end users — the humans and orgs that depend on software produced by others.

- id: other
name: "Other (Governance / Risk / Compliance / Policy)"
description: >-
Cross-cutting governance, advocacy, policy, and compliance work.

26 changes: 26 additions & 0 deletions _data/threat_categories.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# SLSA v1.2 threat category headers.

- letter: A
name: "Producer"
- letter: B
name: "Modifying the Source"
- letter: C
name: "Source Code Management"
- letter: D
name: "External Build Parameters"
- letter: E
name: "Build Process"
- letter: F
name: "Artifact Publication"
- letter: G
name: "Distribution Channel"
- letter: H
name: "Package Selection"
- letter: I
name: "Usage"
- letter: J
name: "Dependencies"
- letter: K
name: "Availability"
- letter: L
name: "Verification"
Loading