GitHub is working with the OSS community to bring new supply chain security capabilities to the platform.

The GitHub Blog provides updates, announcements, and insights from the world's leading software development platform, covering topics such as new features, community highlights, and industry trends. Developers can learn about GitHub's latest developments, best practices for collaboration, and tips for maximizing productivity on the platform.

GitHub Blog

Software artifacts go through a production lifecycle and it's important to have visibility into this lifecycle for security purposes. Digests or hashes can be used to verify the integrity of files. Asymmetric encryption is used for trust on the internet. Mechanisms like signatures and provenance attestations help ensure a trusted origin for software artifacts. The SLSA project provides a standardized schema for provenance attestations. Sigstore simplifies software signatures and provides a tamper-proof paper trail for artifacts.

Where does your software (really) come from?

What does it take to build something like this?