S2C2F – Open Source Security Foundation

The S2C2F SIG is a group working within the OpenSSF’s Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

Motivation

OSS has become a critical aspect of any software supply chain. The S2C2F was designed based on known threats (i.e. tactics and techniques) used by adversaries to compromise OSS packages. By leveraging the framework, software development teams and organizations can securely consume OSS dependencies into the developer’s workflow and enhance their OSS governance program to address threats specific to OSS consumption.

Objective

The objective for the S2C2F Project is to develop and continuously improve upon a guide that provides the following:

A high-level solution-agnostic set of practices
A detailed list of requirements
A list of real-world supply chain threats specific to OSS, and how our Framework requirements mitigates them
A maturity model-based implementation guide, with links to tools from across the industry
A process for assessing your organization’s maturity
A mapping of the Framework requirements to 6 other supply chain specifications

GitHub

Copyright © 2024 The Linux Foundation® . All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.

Subscribe to the OpenSSF Newsletter!

Get the latest announcements, event info, and the community news in your inbox