Stacklok Insight is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Stacklok’s mission is to help open source communities and developers build safer software, and our team has deep roots in open source. We believe that contributing to open source is a necessary part of our everyday work. As part of their daily tasks, our company leaders, engineers, and PMs build, maintain, and contribute to open source projects, and lead open source initiatives that support upstream communities and advance open source security.
Below are some of the projects to which our team leads and contributes.
Minder by Stacklok is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what you’ve built is secure.
Frizbee is a command-line tool to help you increase the security of GitHub Actions by helping you pin actions to commit SHAs (or checksums). Pinning actions to commit SHAs—rather than tags, which can be moved—ensures that you’re always pointing to the same known-good version of the code. Frizbee also provides checksums for container images, and includes a set of libraries for working with tags and checksums.
Chat about Minder, Trusty, Secure Supply Chain, OSS, Sigstore, Frizbee and all our other projects! All our welcome, especially first-timers to OSS!
A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.
sigstore is a set of tools developers, software maintainers, package managers and security experts can benefit from. Bringing together free-to-use open source technologies like Fulcio, Cosign and Rekor, it handles digital signing, verification and checks for provenance needed to make it safer to distribute and use open source software.
Creator and maintainer, sigstore
@lukehindsOn-call rotation for sigstore's public good instance
@evankandersonContributor
@rdimitrovKubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
Protobom is a project that offers a universal, format-neutral SBOM I/O layer designed to work with SBOM data in a unified way. The project frees developers from caring about the nuisance of ingesting and writing SBOMs.
Creator and Technical Lead
@puercoThe Update Framework (TUF) helps developers maintain the security of software update systems, providing protection even against attackers that compromise the repository or signing keys. TUF provides a flexible framework and specification that developers can adopt into any software update system.
Maintainer (go-tuf and repository-service-tuf)
@rdimitrovOpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX) that is designed to be minimal, compliant, interoperable, and embeddable.
Creator and Technical Lead
@puercoBandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report. Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.
Maintainer
@lukehindsKeylime is an open source scalable trusty system. It provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and run-time system integrity monitoring. It also provides a flexible framework for the remote attestation of any given PCR (Platform Configuration Register). Users can create their own customized actions that will trigger when a machine fails its attested measurements.
Maintainer
@lukehindsA library that provides cryptographic and general-purpose functions for Go Secure Systems Lab projects at NYU.
Contributor
@rdimitrovlibgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language that supports C bindings.
Maintainer
@ethomsonThe Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.
OpenSSF Governing Board Member / former member, OpenSSF Technical Advisory Council
@lukehindsThe Cloud Native Computing Foundation (CNCF) is the open source, vendor-neutral hub of cloud native computing, hosting projects like Kubernetes and Prometheus to make cloud native universal and sustainable.
Founder
@craigmclThe Knative Steering Committee (KSC) is responsible for the general health of the Knative community.
Member, Steering Committee
@evankanderson"Open source is a massive part of our company culture and identity. We aim to build our own products in the open, and make them freely available to use. We also prioritize engineering time to contribute to and maintain critical open source security projects like sigstore and TUF, to help those projects continue to grow and thrive."
Craig McLuckie
Stacklok CEO and Kubernetes co-creator
"Almost every bit of technology depends on open source at some point in its lifecycle. For me, giving back by contributing to open source as a maintainer is about committing to the sustainability of software engineering."
Evan Anderson
Stacklok Principal Engineer
A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.