Open Source

Chop Wood, Carry Water

Stacklok’s mission is to help open source communities and developers build safer software, and our team has deep roots in open source. We believe that contributing to open source is a necessary part of our everyday work. As part of their daily tasks, our company leaders, engineers, and PMs build, maintain, and contribute to open source projects, and lead open source initiatives that support upstream communities and advance open source security.

Below are some of the projects to which our team leads and contributes.

Our Community Contributions

Stacklok's Open Source Projects

Minder

Minder by Stacklok is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what you’ve built is secure.

Frizbee

Frizbee is a command-line tool to help you increase the security of GitHub Actions by helping you pin actions to commit SHAs (or checksums). Pinning actions to commit SHAs—rather than tags, which can be moved—ensures that you’re always pointing to the same known-good version of the code. Frizbee also provides checksums for container images, and includes a set of libraries for working with tags and checksums.

Community Resources

Come join the stackers on our Community Discord Server!

Chat about Minder, Trusty, Secure Supply Chain, OSS, Sigstore, Frizbee and all our other projects! All our welcome, especially first-timers to OSS!

Software Supply Chain Security (S3C) Weekly

A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.

Community Contributions and Leadership

sigstore

sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.

Creator and maintainer, sigstore

@lukehinds

On-call rotation for sigstore's public good instance

@evankanderson

Contributor

@rdimitrov

Kubernetes

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

Co-creator, Kubernetes

@craigmcl

Contributor, Kubernetes security profiles operator

@JAORMX

Contributor, Kubernetes security profiles operator

@jhrozek

TL, Kubernetes SIG Release

@puerco

Protobom

Protobom is a project that offers a universal, format-neutral SBOM I/O layer designed to work with SBOM data in a unified way. The project frees developers from caring about the nuisance of ingesting and writing SBOMs.

Creator and Technical Lead

@puerco

The Update Framework (TUF)

The Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.

Maintainer (go-tuf and repository-service-tuf)

@rdimitrov

OpenVEX

OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX) that is designed to be minimal, compliant, interoperable, and embeddable.

Creator and Technical Lead

@puerco

Bandit

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Maintainer

@lukehinds

Keylime

Keylime is an open source scalable trusty system. It provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and run-time system integrity monitoring. It also provides a flexible framework for the remote attestation of any given PCR (Platform Configuration Register). Users can create their own customized actions that will trigger when a machine fails its attested measurements.

Maintainer

@lukehinds

go-securesystemslib

A library that provides cryptographic and general-purpose functions for Go Secure Systems Lab projects at NYU.

Contributor

@rdimitrov

libgit2

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.

Maintainer

@ethomson

Open Source Security Foundation (OpenSSF)

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.

OpenSSF Governing Board Member / former member, OpenSSF Technical Advisory Council

@lukehinds

Cloud Native Computing Foundation (CNCF)

The Cloud Native Computing Foundation (CNCF) is the open source, vendor-neutral hub of cloud native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable.

Founder

@craigmcl

Knative Steering Committee

The Knative Steering Committee (KSC) is responsible for the general health of the Knative community.

Member, Steering Committee

@evankanderson

"Open source is a massive part of our company culture and identity. We aim to build our own products in the open, and make them freely available to use. We also prioritize engineering time to contribute to and maintain critical open source security projects like sigstore and TUF, to help those projects continue to grow and thrive."

Craig McLuckie

Stacklok CEO and Kubernetes co-creator

"Almost every bit of technology depends on open source at some point in its lifecycle. For me, giving back by contributing to open source as a maintainer is about committing to the sustainability of software engineering."

Evan Anderson

Stacklok Principal Engineer

Software Supply Chain Security (S3C) Weekly

A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.

Stacklok logo
© 2024 Stacklok