Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

search
Tag

sigstore

Jun 18
Love0

Member Spotlight: Datadog – Powering Open Source Security with Tools, Standards, and Community Leadership

By Blog

Datadog, a leading cloud-scale observability and security platform, joined the Open Source Security Foundation (OpenSSF) as a Premier Member in July, 2024. With both executive leadership and deep technical involvement, Datadog has rapidly become a force in advancing secure open source practices across the industry.

Key Contributions

GuardDog: Open Source Threat Detection

In early 2025, Datadog launched GuardDog, a Python-based open source tool that scans package ecosystems like npm, PyPI, and Go for signs of malicious behavior. GuardDog is backed by a publicly available threat dataset, giving developers and organizations real-time visibility into emerging supply chain risks.

This contribution directly supports OpenSSF’s mission to provide practical tools that harden open source ecosystems against common attack vectors—while promoting transparency and shared defense.

Datadog actively supports the open source security ecosystem through its engineering efforts, tooling contributions, and participation in the OpenSSF community:

  • SBOM Generation and Runtime Insights
    Datadog enhances the usability and value of Software Bills of Materials (SBOMs) through tools and educational content. Their blog, Enhance SBOMs with runtime security context, outlines how they combine SBOM data with runtime intelligence to identify real-world risks and vulnerabilities more effectively.
  • Open Source Tools Supporting SBOM Adoption
    Datadog maintains the SBOM Generator, an open source tool based on CycloneDX, which scans codebases to produce high-quality SBOMs. They also released the datadog-sca-github-action, a GitHub Action that automates SBOM generation and integrates results into the Datadog platform for improved visibility.
  • Sigstore and Software Signing
    As part of the OpenSSF ecosystem, Datadog supports efforts like Sigstore to bring cryptographic signing and verification to the software supply chain. These efforts align with Datadog’s broader commitment to improving software provenance and integrity, especially as part of secure build and deployment practices.
  • OpenSSF Membership
    As a Premier Member of OpenSSF, Datadog collaborates with industry leaders to advance best practices, contribute to strategic initiatives, and help shape the future of secure open source software.

These collaborations demonstrate Datadog’s investment in long-term, community-driven approaches to open source security.

What’s Next

Datadog takes the stage at OpenSSF Community Day North America on Thursday, June 26, 2025, in Denver, CO, co-located with Open Source Summit North America.

They’ll be presenting alongside Intel Labs in the session:

Talk Title: Harnessing In-toto Attestations for Security and Compliance With Next-gen Policies
Time: 3:10–3:30 PM MDT
Location: Bluebird Ballroom 3A
Speakers:

  • Trishank Karthik Kuppusamy, Staff Engineer, Datadog
  • Marcela Melara, Research Scientist, Intel Labs

This session dives into the evolution of the in-toto Attestation Framework, spotlighting new policy standards that make it easier for consumers and auditors to derive meaningful insights from authenticated metadata—such as SBOMs and SLSA Build Provenance. Attendees will see how the latest policy framework bridges gaps in compatibility and usability with a flexible, real-world-ready approach to securing complex software supply chains.

Register now and connect with Datadog, Intel Labs, and fellow open source security leaders in Denver.

Why It Matters

By contributing to secure development frameworks, creating open source tooling, and educating the broader community, Datadog exemplifies what it means to be an OpenSSF Premier Member. Their work is hands-on, standards-driven, and deeply collaborative—helping make open source safer for everyone.

Learn More

May 30
Love0

Member Spotlight: Trail of Bits – Driving Open Source Security Through Standards, Prototypes, and Policy

By Blog

Trail of Bits is a leading cybersecurity research, engineering, and consulting firm that works with some of the most security-conscious organizations in the world—including Facebook, government agencies like DARPA, and prominent cryptocurrency protocols. Founded in 2012, each part of the company focused on open sourcing their work- tools,research, and audits wherever possible. Trail of Bits also maintains a dedicated research division focused on advancing industry-wide security practices, with specialized teams focused on securing open source infrastructure that both their clients and the broader technology ecosystem depend upon.

Key Contributions

Trail of Bits’ work spans both policy and practice, often bridging emerging security needs with real-world implementation. Here are a few of the ways they’ve made an impact:

  1. PEP 740 – Index-Hosted Attestations for PyPI
    In 2023, Trail of Bits authored and implemented PEP 740, which introduced support for digitally signed attestations for Python packaging. This new security feature helps developers verify the integrity and origin of packages—an important step toward a more secure and trustworthy software supply chain, and already more than 270,000 package distributions have already been uploaded with attestations. 
  2. Drafting Project Lifecycle Metadata Standards
    More recently, Trail of Bits drafted a new Python Enhancement Proposal that introduces lifecycle metadata—markers like “active,” “archived,” or “maintenance only”—that could be surfaced through PyPI’s API. While still under discussion, this draft shows their continued push to improve transparency and project health visibility for the broader Python ecosystem.
  3. OpenSSF Scorecard Dashboard Prototype
    In collaboration with OpenSSF, Trail of Bits built a prototype dashboard to help visualize OpenSSF Scorecard metrics across projects and over time. While the dashboard is not yet in public use, it provided valuable insights during development—including identification of a non-functioning Scorecard check—and helped shape conversations about visibility tooling and adoption patterns.
  4. Tooling and Publications
    Trail of Bits builds and open sources custom security tools across multiple domains—including static and dynamic analysis, AI/ML security, and fuzzing capabilities—maintaining them for public use and community benefit. This dedication to open source resources extends to their publication practices, where Trail of Bits regularly shares client audits, testing methodologies, and research through detailed blog posts and comprehensive handbooks that have become essential references in the security community. 
  5. Contributions to Secure Standards
    Their work spans other critical areas of open source security, including contributions to Sigstore, Homebrew build provenance (via Alpha-Omega), and other OpenSSF working groups. They continue to advocate for secure defaults and verifiable development practices across the OSS ecosystem.

Why It Matters

As open source continues to serve as the backbone of digital infrastructure, organizations like Trail of Bits play a vital role in making it more secure, reliable, and transparent. Their ability to influence both upstream policy (like PEPs) and downstream implementation (like OpenSSF Scorecard and Sigstore) helps move the entire ecosystem forward.

Looking Ahead

Trail of Bits remains actively engaged in exploring new opportunities for impact—whether that’s contributing technical guidance, launching prototypes, or leading standards discussions. Their work reflects the spirit of OpenSSF collaboration: practical, community-oriented, and always evolving.

Learn More

Visit trailofbits.com to explore their research and tooling.
To get involved in OpenSSF projects or working groups, visit openssf.org.

Dec 19
Love0

OpenSSF Newsletter – December 2024

By Newsletter

Welcome to the December 2024 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

Thank You for an Amazing 2024!

OpenSSFAnnualReport

As 2024 comes to a close, we want to take a moment to express our deepest gratitude for the dedication, collaboration, and innovation you have brought to the OpenSSF community this year. Together, we achieved remarkable milestones—from expanding our global membership and launching impactful education initiatives to advancing critical security projects and fostering collaborations with public and private sectors. Your contributions have strengthened our shared mission to secure the open source ecosystem and build a safer, more reliable digital future.

As we look forward to 2025, we’re excited to continue fostering a vibrant and inclusive community, deepening collaborations, and driving meaningful change together. We appreciate your role in this journey.

Wishing you a safe and joyful holiday season!

Download report

The Open Source Software Stewards and Manufacturers Workshop and the EU Cyber Resilience Act (CRA)

In December, the Linux Foundation Europe and the OpenSSF hosted the Open Source Software Stewards and Manufacturers Workshop in Amsterdam, focusing on the implications of the EU Cyber Resilience Act (CRA). The event brought together industry leaders, community experts, and government officials to align on CRA obligations and foster collaboration for compliance.

Key outcomes included the formation of the Global Cyber Policy Working Group and three workstreams: CRA Readiness & Awareness, CRA Tooling & Processes, and CRA Standardization.

Details on how to participate and learn more:

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

UnderstandingCRA1

Published as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) entered into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. This new blog series will cover the implementation of the CRA and its relevance to open source software.

In Part 1, we will provide a general overview of the CRA and highlight LF Europe and the OpenSSF’s current activities in relation to the implementation.

Learn more

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 2

CRABlog2
In Part 1, we provided a general overview of the CRA and highlighted OpenSSF’s current activities related to its implementation. In Part 2, we’ll take a closer look at the three-year implementation timeline and what lies ahead. 

Read more

Shaping the Future of Generative AI: A Focus on Security

GenAIstudy

The Shaping the Future of Generative AI report, sponsored by LF AI & Data and CNCF, highlights how organizations prioritize security, cost, and performance as they adopt GenAI. Security remains a top concern, particularly in sectors like finance and healthcare, where privacy and regulatory compliance are critical.

The Open Source Security Foundation (OpenSSF) AI/ML Working Group plays a vital role in this landscape, focusing on initiatives like model signing with Sigstore to enhance trust and security in AI systems. This blog ties together insights from the report and OpenSSF’s ongoing efforts to address security challenges in GenAI adoption.

Open Source Usage Trends and Security Challenges Revealed in New Study

Census III Report

The Linux Foundation and Harvard released Census III, a groundbreaking study analyzing Free and Open Source Software (FOSS) usage and security challenges. Findings reveal trends like the rise of cloud-specific packages, increased reliance on Rust, and the critical role of a small group of contributors.

Learn more

Download report

 

Honda and Guidewire Join the Open Source Security Foundation (OpenSSF)


At the inaugural SOSS Community Day India, OpenSSF welcomed Honda and Guidewire Software as new members, expanding its growing global network to 126 organizations. The event highlights India’s thriving open source ecosystem and brings together leaders to collaborate on securing the software we all depend on.

Learn more

SigstoreCon 2024: Advancing Software Supply Chain Security

SigstoreCon

On November 12, 2024, the software security community gathered in Salt Lake City for SigstoreCon: Supply Chain Day, co-located with KubeCon North America 2024. The one-day conference brought together developers, maintainers, and security experts to explore how Sigstore is transforming software supply chain security through simplified signing and verification of digital artifacts.

Read more

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

You’re invited to…

See You Next Year! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you in 2025! 

Regards,

The OpenSSF Team

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved