{"id":18508478,"url":"https://github.com/ossf/wg-supply-chain-integrity","last_synced_at":"2026-02-25T18:38:05.105Z","repository":{"id":40553779,"uuid":"277614573","full_name":"ossf/wg-supply-chain-integrity","owner":"ossf","description":"Our objective is to enable open source maintainers, contributors and end-users to understand and make decisions on the provenance of the code they maintain, produce and use.","archived":false,"fork":false,"pushed_at":"2026-01-15T15:29:55.000Z","size":230,"stargazers_count":195,"open_issues_count":11,"forks_count":36,"subscribers_count":53,"default_branch":"main","last_synced_at":"2026-01-15T19:11:36.154Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://openssf.org","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":"threat_models.md","audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"governance/CHARTER.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-07-06T18:07:07.000Z","updated_at":"2026-01-15T15:30:03.000Z","dependencies_parsed_at":"2024-02-16T22:38:54.556Z","dependency_job_id":null,"html_url":"https://github.com/ossf/wg-supply-chain-integrity","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ossf/wg-supply-chain-integrity","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-supply-chain-integrity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-supply-chain-integrity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-supply-chain-integrity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-supply-chain-integrity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/wg-supply-chain-integrity/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-supply-chain-integrity/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29834631,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-25T17:57:15.019Z","status":"ssl_error","status_checked_at":"2026-02-25T17:56:11.472Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T15:14:31.638Z","updated_at":"2026-02-25T18:38:05.100Z","avatar_url":"https://github.com/ossf.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Supply Chain Integrity WG\n\n## Objective\n\nThe objective of the Supply Chain Integrity Working Group (WG) is to provide a global community for collaborating to help individuals and organizations assess and improve the security of end-to-end supply chains for open source software.\n\n## Motivation\n\nSupply chain issues and attacks cause significant damage worldwide including lost revenue, costs of ransomware payments, costs of mitigation, denial of access to resources, reduced customer trust, and public deception. As a matter of public trust, governments are beginning to mandate actions aimed at improving the security and integrity of supply chains. The [US White House Executive Order on Improving the Nation’s Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) is one such example.\n\n## Communications\n\nWe have a public email list available here: https://lists.openssf.org/g/openssf-supply-chain-integrity\n\nSee Google Groups for past archive: https://groups.google.com/forum/#!forum/ossf-wg-developer-identity\n\nYou can also join our Slack channel at https://openssf.slack.com/messages/wg_supply_chain_integrity\n\n## Meetings Times\n\nThe working group meets every other Wednesday at 9 AM Pacific. The public calendar is available here: https://calendar.google.com/calendar/embed?src=s63voefhp5i9pfltb5q67ngpes%40group.calendar.google.com\u0026ctz=America%2FLos_Angeles\n\nSubscribe to the calendar for meeting details.\n\n## Meetings Notes\n\nMeeting Notes and Agendas are available on [Google Drive](https://docs.google.com/document/d/1moVFPn5pLi-uGs840_YBCrwdpHajU0ptFmlL4F9GryQ/edit).\n\n## Documents\n\n* [User Stories](https://docs.google.com/document/d/1_TQizML8sXAm3OdoNA_plihZ14OHng_XRvJXKv_o_bs/edit?usp=sharing)\n\n## Activities\n\n* [Supply-chain Levels for Software Artifacts (SLSA, pronounced ”salsa”)](https://slsa.dev/) - see also the [SLSA repository](https://github.com/slsa-framework/slsa)\n* [SLSA Tooling Project](slsa-tooling.md)\n* [Factory for Repeatable Secure Creation of Artifacts (FRSCA, pronounced \"fresca\")](https://buildsec.github.io/frsca) - see also the [FRSCA repository](https://github.com/buildsec/frsca)\n* [Secure Supply Chain Consumption Framework (S2C2F)](https://github.com/ossf/s2c2f)\n* Supply Chain Integrity Positioning Special Interest Group (SIG)\n* [gittuf: A security layer for Git repositories](https://github.com/gittuf/gittuf)\n* [Graph for Understanding Artifact Composition (GUAC)](https://guac.sh) - see also the [GUAC repository](https://github.com/guacsec/guac)\n* [Zarf: Secure Software Delivery to Disconnected Systems](https://zarf.dev) - see also the [Zarf repository](https://github.com/zarf-dev/zarf)\n\nOlder activities (as Digital Identity Attestation WG):\n  * [Former Digital Identity Attestation WG Readme](https://github.com/ossf/wg-supply-chain-integrity/blob/0804679461f7ed288d50d70da7ae9c7152b1e51d/README.md)\n  * [Recap](https://openssf.org/blog/2021/01/27/digital-identity-attestation-roundup/)\n\n## Governance\n\nThis WG is currently chaired by interim co-chairs Nicole Bates, Justin Cappos, and Michael Lieberman.\n\nWorking Group operations are consistent with standard operating guidelines provided by the OSSF Technical Advisory Committee\n[TAC](https://github.com/ossf/tac).\n\nFull details of process and roles are linked from [governance README](/governance).\n\nNew SCI WG Charter can be read from [governance CHARTER](/governance/CHARTER.MD)\n\n## Antitrust Policy Notice\n\nLinux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.\n\nExamples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at \u003chttp://www.linuxfoundation.org/antitrust-policy\u003e. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fwg-supply-chain-integrity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fwg-supply-chain-integrity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fwg-supply-chain-integrity/lists"}