🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Exciting times for Stacklok We're thrilled to welcome a fantastic group of new stackers over the coming weeks. Stay tuned because one of them in particular will announce their arrival soon, and I couldn't be more excited about this addition to our team! 💥 #Stackers ftw!

🚀 The sigstore-go library just cut its first release. The library now has sigstore bundle & rekor verification, Timestamp Authority verification , TUF support and more. Thanks to all community members working on this! github.com/sigstore/sigst…

For our OSS project Minder, we made the switch from a naive, database-backed authorization implementation to a multi-tenant, relationship-based authorization model using OpenFGA. It's working great! Here's how we did it: stacklok.com/blog/using-ope…

We now have support for Go in Trusty! You can use Trusty to vet the safety of your #oss Go dependencies, like whether they're being actively maintained and have a strong community behind them. stacklok.com/blog/announcin…

Got to love a Stacklok on-site, such a good bunch of folks

Now in Minder—new ways to help you secure your artifacts. Configure custom / private sigstore instances; do more expressive provenance checks; and use our pre-built policies to secure GitHub Actions workflows. stacklok.com/blog/4-ways-to…

This is happening in 3 hours (9am PST / 18:00 CET / 17:00 GM). Come check out how Minder OSS can analyze new packages introduced in a pull request for their supply chain risk trust heuristics (via trustypkg.dev) and active vulnerabilities (via osv.dev)

Today at 9 AM PT! See how Minder OSS can analyze new packages introduced in a developer's PR for their supply chain risk heuristics (via trustypkg.dev) and active vulnerabilities (via osv.dev, from Google Open Source). youtube.com/live/XZCUhpWFl…

If you're looking for software to protect the software you develop, that in turn leverages open source software, consider working with someone who actively participates in open source themselves. Not only will they have a deep understanding of the problem space, but they're also

Quick teardown of the XZ situation. youtube.com/watch?v=DWkQHF…

We (Stacklok) have released details of our Proof-of-Diligence algorithm and Graph. Very curious to see what others make of this. We have a private beta starting next week where we expose the API/UI for others try: stacklok.com/blog/announcin…

Busy day at Stacklok , we also released Minder Cloud today. Craft custom policies for remediation at scale. The GitHub provider implementation is in place with a UI to compliment the CLI. stacklok.com/blog/announcin…

(1/2) 👋 We made some big announcements today at the #OSSummit. Here's the first. Today, we're introducing the OSS Trust Graph, a way to model trust in #opensource ecosystems. It maps the connections between open source contributors and projects, and, through our

(2/2) Our second announcement: Minder Cloud! Having high-quality intelligence about open source packages is only as useful as an organization’s or a community’s ability to drive policies that shape developer behavior. That’s why we launched the open source software security

Another seamless Fedora Project (@[email protected]) upgrade ❤️ Now running Fedora Silverblue 40

#oss maintainers, if you're tired of trying to make sure every project repo has a security.md file, branch protections enabled, Dependabot configured, etc—Minder can help you automate this, and it's free for public repos. Here's how. stacklok.com/blog/tutorial-…

We've just identified a typosquatting attack on the Python Package Index "requests" library. It used a script to send files from the user's computer to a Telegram chat channel. We've reported this to Python Software Foundation and they've taken it down. Details here: stacklok.com/blog/identifyi… #cybersecurity

Did you know in trustypkg we make the provenance of pkgs available in our public facing API? Next week I will cover some other signals available in the payload. Any prototypes hacked together, please do share and let me know: dev.to/lukehinds/usin…

JULY 17: Join Stackers Juan Antonio Osorio & Jakub Hrozek for this CNCF Livestream to learn how you can automate pinning GitHub Actions & container images to their digests! Sign up here: community.cncf.io/events/details… Or tune in to youtube.com/@cncf or twitch.tv/cloudnativefdn/

Join Stacker Juan Antonio Osorio for an Intro to #Minder today at 10am ET / 3pm BST / 5pm EEST to get a high-level overview and demo of the project. YouTube livestream is at: youtube.com/watch?v=YvP9YG… #SupplyChainSecurity #ShiftLeft #DevSecOps