https://github.com/ossf/s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.
https://github.com/ossf/s2c2f

Last synced: 5 months ago
JSON representation

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

• Host: GitHub
• URL: https://github.com/ossf/s2c2f
• Owner: ossf
• License: other
• Created: 2022-10-19T13:41:09.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2025-05-26T18:06:05.000Z (about 1 year ago)
• Last Synced: 2025-05-26T19:23:56.737Z (about 1 year ago)
• Homepage:
• Size: 3.67 MB
• Stars: 208
• Watchers: 24
• Forks: 27
• Open Issues: 6
• Metadata Files:
  • Readme: README.md
  • Contributing: Contributing.md
  • License: LICENSE.md
  • Governance: governance/CS_Contributor_License_Agreement.md

Awesome Lists containing this project

README

          
# Secure Supply Chain Consumption Framework (S2C2F) Project



The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide. The Framework is targeted toward organizations that do software development, that take a dependency on open source software, and that seek to improve the security of their software supply chain.

## Motivation

OSS has become a critical aspect of any software supply chain. The S2C2F was designed based on known threats (i.e. tactics and techniques) used by adversaries to compromise OSS packages. By leveraging the framework, software development teams and organizations can securely consume OSS dependencies into the developer's workflow and enhance their OSS governance program to address threats specific to OSS consumption.

## Objective

The objective for the S2C2F Project is to develop and continuously improve upon a guide that provides the following:

* A high-level solution-agnostic set of practices 

* A detailed list of requirements 

* A list of real-world supply chain threats specific to OSS, and how our Framework requirements mitigates them 

* A maturity model-based implementation guide, with links to tools from across the industry 

* A process for assessing your organization’s maturity 

* A mapping of the Framework requirements to 6 other supply chain specifications 

## View or Download the S2C2F Specification

 

:atom:: **Click _[here](./specification/framework.md)_ to view the specification in markdown**

To learn more, the S2C2F FAQ is available [here](./FAQ.md).

## Get Involved

*   Official communications occur on the [openssf-sig-s2c2f@lists.openssf.org](https://lists.openssf.org/g/openssf-sig-s2c2f).  \

[Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups).

*   [S2C2F Project Slack](https://openssf.slack.com/archives/C03THTH3RSM)

*   [Supply Chain Integrity WG Slack](https://openssf.slack.com/archives/C01A1MA7A1K)

### Quick Start

*   File issues in the [Issues page](https://github.com/ossf/s2c2f/issues)

*   We are actively seeking contributions to our [Reference Implementations](./Reference_implementation)

### Meeting times

*   Every other Tuesday @ 12:00pm PST The invite is available on the [OpenSSF Community Calendar](https://calendar.google.com/calendar/u/0/r?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)

*   [Meeting Minutes](https://docs.google.com/document/d/10Q_VOvKsGaYJoK-5yJY4868mTkYZjEo-6xV6ghYS84k/edit)

# Governance

The [GOVERNANCE.md](https://github.com/ossf/s2c2f/blob/main/governance/Governance.md) outlines the scope and governance of our group activities.

*   Lead: Adrian Diglio (https://github.com/adriandiglio)

*   Co-Lead: Jay White (https://github.com/camaleon2016)

## Steering Committee 

- [Jay White, Microsoft](https://github.com/camaleon2016)

- [Adrian Diglio, Microsoft](https://github.com/adriandiglio)

## Project Maintainers

- [Jay White, Microsoft](https://github.com/camaleon2016)

- [Adrian Diglio, Microsoft](https://github.com/adriandiglio)

- [Jasmine Wang, Microsoft](https://github.com/jasminewang0)

- [Tom Bedford, Bloomberg](https://github.com/tombedfordgit)

## Project Collaborators

- [Christopher "CRob" Robinson, Intel](https://github.com/SecurityCRob)

- [David A Wheeler, LF/OSSF](https://github.com/david-a-wheeler)