File tree Expand file tree Collapse file tree 2 files changed +28
-0
lines changed
Expand file tree Collapse file tree 2 files changed +28
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ title : CHAINS Software Supply Chain Competition
3+ ---
4+
5+ This is a competition based on a checklist for best practices in software supply chain security.
6+
7+ At the 2025 workshop, a leaderboard will be announced and the participant with the highest score will score will receive a prize.
8+
9+ Name: _____________ _
10+ Repo: _____________ _
11+
12+ | Rule | Check ✅/❌|
13+ | ----------| ----------|
14+ | forbid unsigned git commits and tags | |
15+ | forbid transient dependencies in CI (no latest, SNAPSHOT, etc.) | |
16+ | use dependency update bot (dependabot, renovate) | |
17+ | push lockfile in repo (maven-lockfile) | |
18+ | block bad dependencies in ci (dirty-waters) | |
19+ | require code review before merging PRs | |
20+ | run security scanners in CI (CodeQL, Snyk, etc.) | |
21+ | automated creation of release tag | |
22+ | automated creation of SBOMs for releases | |
23+ | push build attestations for releases (rekor) | |
24+ | have independent rebuilders (reproducible-central) | |
25+ | use branch protection rules | |
26+ | verify dependency crypto signatures from a trusted source | |
27+ | have 2FA enabled for all repo members | |
Original file line number Diff line number Diff line change @@ -88,6 +88,7 @@ See [https://github.com/chains-project/](https://github.com/orgs/chains-project/
8888- [ NIX and the supply chain, debrief of NixCon 2022] ( nixcon-2022.md )
8989- [ SBOMs for your GitHub Releases] ( sbom-github.md )
9090- [ Software suply chain CWEs] ( cwe-software-supplu-chain.md )
91+ - [ CHAINS checklist] ( chains-repo-checklist.md )
9192
9293## Team
9394
You can’t perform that action at this time.
0 commit comments