{"id":13717830,"url":"https://github.com/OWASP/Software-Component-Verification-Standard","last_synced_at":"2025-05-07T08:30:35.822Z","repository":{"id":47432245,"uuid":"204964086","full_name":"OWASP/Software-Component-Verification-Standard","owner":"OWASP","description":"Software Component Verification Standard (SCVS)","archived":false,"fork":false,"pushed_at":"2025-04-01T19:23:27.000Z","size":7060,"stargazers_count":142,"open_issues_count":11,"forks_count":40,"subscribers_count":31,"default_branch":"master","last_synced_at":"2025-04-01T19:42:28.869Z","etag":null,"topics":["best-practices","cscrm","open-source","owasp","scrm","scvs","software-supply-chain","supply-chain"],"latest_commit_sha":null,"homepage":"https://owasp.org/scvs","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-sa-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-08-28T15:27:27.000Z","updated_at":"2025-03-25T22:04:58.000Z","dependencies_parsed_at":"2022-08-12T13:40:13.582Z","dependency_job_id":"bb19c918-fe98-4758-ac46-c60b7c338603","html_url":"https://github.com/OWASP/Software-Component-Verification-Standard","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FSoftware-Component-Verification-Standard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FSoftware-Component-Verification-Standard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FSoftware-Component-Verification-Standard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FSoftware-Component-Verification-Standard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/Software-Component-Verification-Standard/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252842369,"owners_count":21812656,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["best-practices","cscrm","open-source","owasp","scrm","scvs","software-supply-chain","supply-chain"],"created_at":"2024-08-03T00:01:27.776Z","updated_at":"2025-05-07T08:30:34.563Z","avatar_url":"https://github.com/OWASP.png","language":"Python","funding_links":[],"categories":["Frameworks and best practice references"],"sub_categories":["Supply chain beyond libraries"],"readme":"[![Build Status](https://github.com/OWASP/Software-Component-Verification-Standard/workflows/CI%20Build/badge.svg)](https://github.com/OWASP/Software-Component-Verification-Standard/actions?workflow=CI+Build)\n![GitHub](https://img.shields.io/github/license/OWASP/Software-Component-Verification-Standard)\n[![Slack](https://img.shields.io/badge/chat%20on-slack-46BC99.svg)](https://owasp.slack.com/messages/project-scvs)\n[![Twitter](https://img.shields.io/twitter/follow/owasp_scvs.svg?label=Follow\u0026style=social)](https://twitter.com/owasp_scvs)\n\n# OWASP Software Component Verification Standard\n\nThe Software Component Verification Standard (SCVS) is a community-driven effort to\nestablish a framework for identifying activities, controls, and best practices, which can help in identifying and\nreducing risk in a software supply chain.\n\nManaging risk in the software supply chain is important to reduce the surface area of systems vulnerable to exploits,\nand to measure technical debt as a barrier to remediation. \n\nMeasuring and improving software supply chain assurance is crucial for success. Organizations with supply chain visibility\nare better equipped to protect their brand, increase trust, reduce time-to-market, and manage costs in the event of a\nsupply chain incident.\n\nSoftware supply chains involve:\n - technology\n - people\n - processes\n - institutions\n - and additional variables\n \nRaising the bar for supply chain assurance requires the active participation of\nrisk managers, mission owners, and business units like legal and procurement, which have not traditionally been involved\nwith technical implementation. \n\nDetermination of risk acceptance criteria is not a problem that can be solved by enterprise tooling: it is up to risk\nmanagers and business decision makers to evaluate the advantages and trade-offs of security measures based on system\nexposure, regulatory requirements, and constrained financial and human resources. Mandates that are internally\nunachievable, or that bring development or procurement to a standstill, constitute their own security and institutional\nrisks. \n\nSCVS is designed to be implemented incrementally, and to allow organizations to\nphase in controls at different levels over time.\n\n### SCVS has the following goals:\n\n* Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain\n* Identify a baseline and path to mature software supply chain vigilance\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FSoftware-Component-Verification-Standard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2FSoftware-Component-Verification-Standard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FSoftware-Component-Verification-Standard/lists"}