OPENSSF-BASELINE
OpenSSF Baseline minimum OSS security 2024.
Définition
OpenSSF Baseline 2024 categories : (1) Access Control : MFA on all maintainer accounts, least-privilege permissions, branch protection rules (require PR review, no direct push main), tag protection. (2) Code Quality : automated tests CI, code review obligatoire, static analysis SAST integration. (3) Vulnerability Management : SECURITY.md policy publie disclosure procedure, contact pour security@ email or platform-specific, monitoring CVE feeds. (4) Dependency Management : automated dependency updates (Dependabot, Renovate), vulnerability scanning dependencies (Snyk, OWASP Dependency-Check, GitHub Advanced Security), pinned versions. (5) Build Security : automated CI build (SLSA L1+ minimum), reproducible build where possible, signed releases (Sigstore Cosign, GPG signing). (6) Documentation : README, LICENSE, CONTRIBUTING, CODE_OF_CONDUCT, MAINTAINERS files. Inspired par NIST SP 800-218 SSDF, EU Cyber Resilience Act, CRA Article 13 obligations. Adopters target : ~100 critical OSS projects identified OpenSSF (OpenJS Foundation Top 100, Linux Kernel, etc.).
Origine
OpenSSF Best Practices Working Group ; OpenSSF Baseline draft 2023 ; publication 2024 ; inspire NIST SSDF + EU CRA ; target ~100 critical OSS projects.
Exemple en contexte
Apache Software Foundation ASF adopts OpenSSF Baseline 2024 for top-level projects (Tomcat, Kafka, Cassandra, etc.) : MFA mandatory committers GitHub accounts, branch protection main, SECURITY.md present, Dependabot enabled, releases signed GPG ASF tradition + Sigstore Cosign progressively.
Termes liés
- OpenSSF Scorecard — tool measure compliance.