laurent

Discover the power of Structured Results in the #OpenSSF blog: hubs.la/Q02t84mF0 Tailor your security approach with detailed insights for precise policy enforcement. 🛡️✨

Amazing community collaboration: GitHub's Dependency review action now supports displaying and blocking PRs based on OpenSSF scorecard results github.com/actions/depend…

Announcing the general availability of the V3 deps.dev API (All your OSS transitive dependencies belong to you!). Lot of new features like batch support, purl support, querying capabilities for new things like name similarity, SLSA attestations, etc! Check it out at blog.deps.dev/api-v3/

Why SBOMs for OSS (package) libraries can't report accurate information about dependencies blog.deps.dev/zillions-of-sb…

Refining our notion of "critical projects" by augmenting the dependency graph with authorship information blog.deps.dev/combining-depe… What other insights can we glean with dependency and git information? Let us know if you have ideas!

Tomorrow at 5pm PT! 📅 Sign up for the SLSA Bay Area meetup hosted by @Google and @github and hear @tidelift co-founder @luis_in_brief discuss Trusted Attestation and Compliance for Open Source (TACOS) 🌮 bit.ly/3umB0L5

Excited to announce the big milestone on #OSV: We have now enriched 30K vulns from NVD CVE DB and added first-class support for C/C++ ecosystem inside OSV-Scanner. Check out osv.dev/blog/posts/int…! One-stop community DB and scanner for all your OSS vulnerability scanning needs!

@colek42c @trishankkarthik @justincormack @torresariass @ffkiv @adityasaky SLSA for models, yes security.googleblog.com/2023/10/increa…. We'll also talk about that at the SLSA Bay Area meet up on 16th Nov in SF resources.github.com/github-slsa-me…

Has anyone used, or maybe written about using in-toto for tracking provenance of AI models? cc @trishankkarthik @justincormack, @torresariass , @ffkiv , @adityasaky

second, @Google is expanding our open source security work with the @openssf by releasing new tools to protect the overall integrity of AI supply chains. (3/3) Sigstore for Models and Model Provenance. github.com/google/model-t…

Join us for the first SLSA Bay Area meet-up on Nov 16 in SF. You'll learn about the latest news on the #slsa standard for supply-chain and how to use it to secure your SDLC and AI pipelines. Register and propose a talk tinyurl.com/bay-area-meetu…

5 days left to submit your papers or security-in-practice talks to the SCORED ‘23 workshop!

Excited to announce a new SLSA builder I've been working on with Google's Project Oak that helps enable a transparent release process in Confidential Computing! security.googleblog.com/2023/06/bringi… @RBehjati

The deadline for the SCORED'23 workshop on software supply chain security is in about 2 weeks. That's enough time to put together a nice submission! scored.dev/call_for_paper…

Reminder: The call for papers/talks for the 2nd ACM SCORED workshop on SW Supply Chain security is open until June 30! Security-in-practice talks and short research papers welcome! Call for papers/talks: scored.dev/call_for_paper… Submission site: scored2023.hotcrp.com

Each dep brings others. Understanding the supply chain is as difficult as understanding universe. Now we have a telescope: GUAC reaches its v0.1 release. Find more on Google's security blog and come and join us in solving swaths of supply chain problems: security.googleblog.com/2023/05/announ…

Thanks @github for featuring @theopenssf Scorecard project on ReadME blog-"In Scorecard we trust" by @snaveen(Endor) & Brian Russell(GOSST)."If you’re looking to start improving your software supply chain security, adopting Scorecard is a great first step" github.com/readme/guides/…

Nice way to earn glory for your fuzzer and more importantly 11k!

Announcing OSV-Scanner: a tool that gives OSS developers easy access to vulnerability info relevant to their project using OSV.dev DB (16 ecosystems, 39K+ vulns). Also, integrated with Scorecards vulns check to give vulns in dependencies - security.googleblog.com/2022/12/announ…

Excited to welcome another builder to higher SLSA level compliance. Check out the #SLSA community blog post going into the details on how @googlecloud build can help you with SLSA L3 compliance - slsa.dev/blog/2022/12/g…

Super excited to announce another milestone for SLSA: Google GCB level 3 provenance for your containers can now be verified via the open-source, community-developed github.com/slsa-framework…. Check out the blog post slsa.dev/blog/2022/12/g…!. Stay tuned, more coming up soon!