Add Software Supply Chain Best Practices v2 markdown (#1396)

* Add Software Supply Chain Best Practices v2 markdown Signed-off-by: Marina Moore <[email protected]> * linting fixes Signed-off-by: Marina Moore <[email protected]> * More linting fixes Signed-off-by: Marina Moore <[email protected]> * fix links Signed-off-by: Marina Moore <[email protected]> * Fix links and spelling Signed-off-by: Marina Moore <[email protected]> * Add Software Supply Chain Best Practices v2 markdown Signed-off-by: Marina Moore <[email protected]> * linting fixes Signed-off-by: Marina Moore <[email protected]> * More linting fixes Signed-off-by: Marina Moore <[email protected]> * fix links Signed-off-by: Marina Moore <[email protected]> * Fix links and spelling Signed-off-by: Marina Moore <[email protected]> * lint fix Signed-off-by: Marina Moore <[email protected]> * Apply suggestions from code review Co-authored-by: Brandt Keller <[email protected]> Signed-off-by: Marina Moore <[email protected]> * formatting and grammar fixes Signed-off-by: Marina Moore <[email protected]> * Update community/working-groups/supply-chain-security/suply-chain-security-paper-v2/SSCBPv2.md Co-authored-by: Brandt Keller <[email protected]> Signed-off-by: Marina Moore <[email protected]> * formatting Signed-off-by: Marina Moore <[email protected]> --------- Signed-off-by: Marina Moore <[email protected]> Signed-off-by: Marina Moore <[email protected]> Co-authored-by: Brandt Keller <[email protected]>
cncf · Nov 8, 2024 · b702fe6 · b702fe6
1 parent 38d8049
commit b702fe6
Show file tree

Hide file tree

Showing 4 changed files with 1,286 additions and 0 deletions.
diff --git a/ci/spelling-config.json b/ci/spelling-config.json
@@ -13,17 +13,22 @@
         "Aniszczyk",
         "antifragile",
         "APAC",
+        "architecting",
         "archives",
+        "Archivista",
         "ARMO",
         "ATT&CK",
         "backdoors",
         "Benedictis",
+        "Bottlerocket",
+        "buildinfo",
         "Buildpacks",
         "BYOK",
         "Cappos",
         "cgroups",
         "chainguard",
         "cisecurity",
+        "CISA",
         "CISO",
         "cloudcustodian",
         "CLOMonitor",
@@ -46,11 +51,15 @@
         "cybercriminals",
         "DAAS",
         "DAST",
+        "DBIR",
         "ddos",
         "DFIR",
+        "Diffoscope",
+        "Dockerfiles",
         "dynatrace",
         "EIOPA",
         "EMEA",
+        "EPSS",
         "ESMA",
         "exfiltrate",
         "exfiltration",
@@ -67,6 +76,7 @@
         "gconv",
         "gitsign",
         "gittuf",
+        "Grafeas",
         "GUAC",
         "helm",
         "HIPAA",
@@ -85,6 +95,7 @@
         "KETRMAX",
         "keycloak",
         "Kjell",
+        "Kritis",
         "Kube",
         "kubecon",
         "Kubernetes",
@@ -106,6 +117,7 @@
         "minimalistic",
         "mitigations",
         "MSSP",
+        "MTTR",
         "NACLs",
         "netgroupcache",
         "oidc",
@@ -121,6 +133,8 @@
         "pcre",
         "PEAR",
         "pearweb",
+        "Peribolos",
+        "Petya",
         "PHP",
         "Pronin",
         "protobuf",
@@ -130,9 +144,15 @@
         "Razzak",
         "RBAC",
         "RCOS",
+        "rebuilder",
+        "Rebuilderd",
+        "refreshable",
         "Rego",
+        "relatability",
+        "renovatebot",
         "Rensselaer",
         "Roadmap",
+        "RSTUF",
         "runtimes",
         "sandboxed",
         "sandboxing",
@@ -144,6 +164,7 @@
         "semgrep",
         "Sergey",
         "Shlomo",
+        "SIEM",
         "Sigstore",
         "SLSA",
         "snyk",
@@ -160,13 +181,15 @@
         "Syft",
         "syscall",
         "TAR",
+        "Tekton",
         "timeframe",
         "TOCTOU",
         "toolset",
         "triage",
         "triaged",
         "triaging",
         "trojanized",
+        "trufflehog",
         "TTPS",
         "Twintag",
         "unencrypted",
@@ -177,6 +200,7 @@
         "urllib",
         "usecase",
         "venv",
+        "vexy",
         "Virtool",
         "Wolt",
         "Yubi",

diff --git a/community/publications/README.md b/community/publications/README.md
@@ -28,6 +28,7 @@ This document lists all the publications and resources that TAG Security has pro
 | | OPA | Markdown | [Link](/community/assessments/projects/opa) |
 | | Spiffe-Spire | Markdown | [Link](/community/assessments/projects/spiffe-spire) |
 | **Supply Chain Security** | | | |
+| | Software Supply Chain Best Practices v2 | Markdown | [Link](/community/working-groups/supply-chain-security/supply-chain-security-paper-v2/SSCBPv2.md) |
 | | Software Supply Chain Best Practices | Markdown | [Link](/community/working-groups/supply-chain-security/supply-chain-security-paper/sscsp.md) |
 | | | PDF | [Link](/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf) |
 | | Evaluating your supply chain security | Markdown | [Link](/community/working-groups/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md) |

diff --git a/...ty/working-groups/supply-chain-security/suply-chain-security-paper-v2/README.md b/...ty/working-groups/supply-chain-security/suply-chain-security-paper-v2/README.md
@@ -0,0 +1,16 @@
+# Software Supply Chain Best Practices v2
+
+## About
+
+This is an update to the Software Supply Chain Best Practices whitepaper that accounts for how the field has evolved.
+The paper adds descriptions of personas to help guide the reader to relevant parts of the paper, and updates descriptions of the software supply chain best practices.
+
+## Updates
+
+Minor updates (typo fixes, etc) will be accepted to the markdown version of this paper.
+
+Larger updates may be proposed, but may be pushed to a future version of the paper.
+
+## Markdown
+
+The [markdown](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper-v2/SSCBPv2.md) file is available in the repository.