OpenSSF Newsletter – June 2025
Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community. TL;DR: Tech...
OpenSSF
An Introduction to the OpenSSF Model Signing (OMS) Specification: Model Signing for Secure and Trusted AI Supply Chains
By Mihai Maruseac (Google), Eoin Wickens (HiddenLayer), Daniel Major (NVIDIA), Martin Sablotny (NVIDIA) As AI adoption continues to accelerate, so does the need to secure the AI supply chain. Organizations...
OpenBao Joins the OpenSSF to Advance Secure Secrets Management in Open Source
We’re excited to welcome OpenBao to the Open Source Security Foundation (OpenSSF) as a newly accepted sandbox project!
Tech Talk Recap | CRA-Ready: How Open Source Projects Can Prepare for the EU Cyber Resilience Act
The EU Cyber Resilience Act (CRA) is reshaping the landscape for open source software. Whether you're a maintainer, contributor, or vendor, the CRA introduces new expectations—and new responsibilities. To help the community navigate these changes, the Open Source Security Foundation (OpenSSF) recently hosted a Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for…
Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership
Organization: Open Source Technology Improvement Fund, Inc. (OSTIF) Contributor: Amir Montazery, Managing Director Website: ostif.org Problem Critical open source software (OSS) projects—especially those that are long-standing and widely adopted—often lack...
GUAC 1.0 is Now Available
The GUAC project is proud to announce the release of GUAC 1.0. GUAC — which stands for “Graph for Understanding Artifact Composition” is an OpenSSF incubating project that brings understanding and insights to the software supply chain. Started by Kusari, Google, and Purdue University, GUAC has contributions from over 400 people representing more than 90…
Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks
CI/CD pipelines are increasingly becoming high-value targets for attackers. With access to secrets, source code, and infrastructure, they offer a direct route to supply chain compromise. The recent breaches involving tj-actions/changed-files and reviewdog/action-setup are not just isolated events, they are harbingers of a new generation of CI/CD-targeted supply chain attacks.Â
From Sandbox to Incubating: gittuf’s Next Step in Open Source Security
We’re pleased to share that gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the Open Source Security Foundation (OpenSSF). This marks a major milestone in gittuf’s development and recognizes the project’s technical progress, community growth, and alignment with the broader mission of strengthening the open source software supply…