Skip to content

Commit

Permalink
Update framework.md
Browse files Browse the repository at this point in the history 
Still addressing comments from #22 

Signed-off-by: Jasmine Wang <[email protected]>
  • Loading branch information
@jasminewang0
jasminewang0 authored Jul 10, 2023
1 parent b2dceb7 commit 9624ad1
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions specification/framework.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ _I know if any OSS artifact in my pipeline has vulnerabilities or malware._
- A team tries to use an OSS package that is known to steal bitcoins (i.e. the _event-stream_ scenario)
- A team tries to use an OSS package with a backdoor

Once we control all artifact inputs, we must scan all inputs to trust them. This trust is built using scanners that look for vulnerabilities, malware, malicious or anomalous behavior, extraneous code, and other known or previously undiscovered issues (i.e. zero-day vulnerabilities).
Once we control all artifact inputs, we must scan all inputs to trust them. This trust is built using scanners that look for vulnerabilities, malware, malicious or anomalous behavior, extraneous code, end-of-life notices, and other known or previously undiscovered issues (i.e. zero-day vulnerabilities).

### _Practice 3: Inventory It_

Expand Down Expand Up @@ -190,7 +190,7 @@ _I can rely on secure and trusted OSS consumption within my organization._

- A developer bypasses the official engineering pipeline to consume an OSS package with a known vulnerability

All OSS artifacts must be consumed from trusted sources and through the official OSS consumption channels. The next step is to enable enforcement of the supply chain so that all artifacts that in any way impact a production service/release must come through the full supply chain. An example of enforcement is to reroute DNS traffic or configure builds to break if they try to consume OSS from untrusted sources.
All OSS artifacts must be consumed from organization-defined approved sources and through the official OSS consumption channels. The next step is to enable enforcement of the supply chain so that all artifacts that in any way impact a production service/release must come through the full supply chain. An example of enforcement is to reroute DNS traffic or configure builds to break if they try to consume OSS from untrusted sources.

### _Practice 7: Rebuild It_

Expand Down

0 comments on commit 9624ad1

Please sign in to comment.