Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

• Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations + LFEL1001 course
• Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership
• Blogs: GUAC 1.0 release; CI/CD security guide; gittuf incubation; Choosing an SBOM Generation Tool; OSS and the CRA: am I a Manufacturer or a Steward?
• Podcasts: #33 Bridging DevOps and Security: Tracy Ragan on the Future of Open Source; #32 Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes
• Free Courses: OpenSSF/Linux Foundation e-learning 
• News: CRA survey launch; CRA Brief Guide released; SLSA has v1.2 RC1; Zarf released v0.56.0;  BOMops whitepaper; MLSecOps Whitepaper coming from AI/ML WG; Vulnerability WG reviewed June 6 U.S. EO & NIST’s reporting role.
• Events: OpenSSF Community Days (Denver, Hyderabad, Amsterdam, Seoul); Open Source Summit NA/EU; Black Hat USA; DefCon; OSFF; SecurityCon.

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves. 

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance. 

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✨GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✨Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✨From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✨Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✨OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

 

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

• Developing Secure Software (LFD121)
• Security for Software Development Managers (LFD125)
• Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
• Securing Projects with OpenSSF Scorecard (LFEL1006)
• Securing Your Software Supply Chain with Sigstore (LFS182)

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

• Global Cyber Policy WG is running a CRA survey to measure interest in the individual Standards work streams for the CRA. The results will be used to determine the specific Standards in which the group will invest time and focus.
• Best Practices & Global Cyber Policy WG’s released the Cyber Resilience Act (CRA) Brief Guide for Open Source Software (OSS) Developers.
• SLSA has a v1.2 RC1 PR out for review.
• Zarf released version v0.56.0 overhauling the Packager SDK for enhanced SDK utility and maturation.
• AI/ML WG is finalizing the MLSecOps Whitepaper for release.
• SBOM Everywhere SIG is working on a BOMops Whitepaper
• Vulnerability Disclosures WG discussed the June 6 U.S. Executive Order and NIST’s responsibilities including vulnerability reporting best practices.

In the News:

• ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
• HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
• SiliconAngle – “Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
• Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
• IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
• SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

• Denver, Colorado – June 26, 2025
• Hyderabad, India – August 4, 2025
• Amsterdam, Netherlands – August 28, 2025
• Seoul, South Korea –  November 4, 2025

Connect with the OpenSSF Community at these key events:

• Open Source Summit NA: June 23 – 25, 2025
• Black Hat USA 2025: August 2-7, 2025
• DefCon 2025: August 7-10, 2025
• Open Source Summit EU: August 25 – 27, 2025
• Open Source in Finance Forum (OSFF): October 21-22, 2025
• Open Source SecurityCon 2025: November 10, 2025

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

• Join a Working Group or Project
• Chat with us on Slack
• Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team