ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

OPENSSF-BASELINE

OpenSSF Baseline minimum OSS security 2024.

Definition

OpenSSF Baseline 2024 categories: (1) Access Control: MFA on all maintainer accounts, least-privilege permissions, branch protection rules (require PR review, no direct push main), tag protection. (2) Code Quality: automated CI tests, mandatory code review, SAST static analysis integration. (3) Vulnerability Management: SECURITY.md policy published disclosure procedure, contact for security@ email or platform-specific, monitoring CVE feeds. (4) Dependency Management: automated dependency updates (Dependabot, Renovate), vulnerability scanning dependencies (Snyk, OWASP Dependency-Check, GitHub Advanced Security), pinned versions. (5) Build Security: automated CI build (SLSA L1+ minimum), reproducible build where possible, signed releases (Sigstore Cosign, GPG signing). (6) Documentation: README, LICENSE, CONTRIBUTING, CODE_OF_CONDUCT, MAINTAINERS files. Inspired by NIST SP 800-218 SSDF, EU Cyber Resilience Act, CRA Article 13 obligations. Target adopters: ~100 OpenSSF identified critical OSS projects (OpenJS Foundation Top 100, Linux Kernel, etc.).

Origin

OpenSSF Best Practices Working Group ; OpenSSF Baseline draft 2023 ; publication 2024 ; inspired by NIST SSDF + EU CRA ; target ~100 critical OSS projects.

Example in context

Apache Software Foundation ASF adopts OpenSSF Baseline 2024 for top-level projects (Tomcat, Kafka, Cassandra, etc.): MFA mandatory committers GitHub accounts, branch protection main, SECURITY.md present, Dependabot enabled, releases GPG ASF tradition + Sigstore Cosign progressively signed.

Last updated: May 16, 2026