Merge pull request #53 from chains-project/competition

add "checklist for software supply chain"

Author: monperrus

chains-repo-checklist.md

@@ -0,0 +1,28 @@
+---
+title: CHAINS Software Supply Chain Competition
+---
+
+This is a competition based on a checklist for best practices in software supply chain security.
+
+At the 2025 workshop, a leaderboard will be announced and the participant with the highest score will score will receive a prize.
+
+Name: ______________  
+Repo: ______________
+
+| Rule | Check ✅/❌|
+|----------|----------|
+| forbid unsigned git commits and tags (impossible to do on Github)|          |
+| forbid transient dependencies in CI (no latest, SNAPSHOT, etc.) |          |
+| forbid coarse-grain version (v45), force most specific, immutable version (v45.0.1)   |          |
+| use dependency update bot (dependabot, renovate) |          |
+| push lockfile in repo (maven-lockfile) |          |
+| block bad dependencies in ci (dirty-waters) |          |
+| require code review before merging PRs |          |
+| run security scanners in CI (CodeQL, Snyk, etc.) |          |
+| automated creation of release tag |          |
+| automated creation of SBOMs for releases |          |
+| push build attestations for releases (rekor) |          |
+| have independent rebuilders (reproducible-central) |          |
+| use branch, tag and CI protection rules |          |
+| verify dependency crypto signatures from a trusted source |          |
+| have 2FA enabled for all repo members |          |

index.md

@@ -89,6 +89,7 @@ See [https://github.com/chains-project/](https://github.com/orgs/chains-project/
 - [NIX and the supply chain, debrief of NixCon 2022](nixcon-2022.md)
 - [SBOMs for your GitHub Releases](sbom-github.md)
 - [Software suply chain CWEs](cwe-software-supplu-chain.md)
+- [CHAINS checklist](chains-repo-checklist.md)
 
 ## Team