What is this about?

The team

• Ben Sternthal (@bensternthal)
• Chris de Almeida (@ctcpip)
• Darcy Clarke (@darcyclarke)
• Joe Sepi (@joesepi)
• Jordan Harband (@ljharb)
• Matt Rutkowski (@mrutkows)
• Michael Dawson (@mhdawson)
• Rick Markins (@rxmarbles)
• Robin Ginn (@rginn)
• Steve Husak (@shusak)
• Ulises Gascón (@UlisesGascon)

The Objective

The Compliance Guide

The Standards Checklist

Where we are?

Main Challenges!

• Manual Effort: Requires extensive manual work for forms and response tracking.
• Workflow Preferences: Maintainers prefer using familiar GitHub workflows (issues, PRs, etc.).
• Scale of Operations: Hundreds of repositories demand manual evaluations.
• Time Constraints: Maintainers avoid spending hours in sync meetings.
• Knowledge Gaps: Limited familiarity with security topics and mitigations among contributors.

Other Challenges

• High Time to Remediation (TTR): Manual information collection leads to long waiting times.
• Information Inaccuracy: Data valid today might be outdated tomorrow (e.g., GitHub settings can change anytime).
• Cognitive Load: Teams struggle to prioritize effectively for maximum impact.
• Lack of Visibility: No clear way to track project evolution individually or collectively.

What is the proposal?

Provide tools that automate most tasks with minimal support (e.g., validations, computational checks, etc..).

This approach also enables the development of mitigation scripts for automated issue resolution in future steps.

The Goal

The Website

• A refined version of the original document and spreadsheet, now functioning as a website.

• Content can be updated via GitHub workflows, PRs...

• Supports canonical URLs for consistent content referencing.

The Dashboard

• A relatively complex tool aggregating data from multiple sources (GitHub API, Scorecard, human input).

• Executes workflows to transform raw data into actionable insights like alerts, pending tasks, or data for dashboards/reports.

• Enables integration with other tools for seamless consumption of information.

POC: Website

Index

Item grouping

Item details

DEMO TIME

POC: Dashboard

Workflow

Pulling data

• Multiple Data Sources: Pull data from various sources, like the GitHub API, to enrich the database.
• Independent Workflows: Data-pulling actions are defined in workflows that run independently from each other.
• Advanced Analysis: Perform deeper checks such as scanning repositories for hardcoded secrets, running Scorecard on non-engaged projects, or cloning repositories for custom evaluations.
• AI Integration: Employ local AI to enhance alerting and dashboard analytics, providing deeper insights.

You can find review examples like populate-repos-list, generate-reports or check-health

Local Database

• Self-Contained: All data is stored in JSON files.
• Validation: Strict JSON Schemas ensure error-free format and content, even with manual changes.
• Accessibility: Data can be consumed directly from the GitHub API.
• Version Control: Enables PRs to document manual inputs, such as validating team training in OWASP Top 10.

You can find review examples like alerts, checks, projects, tasks

CLI Integration

• Allows data changes (e.g., adding projects to the dashboard).
• Supports interactive mode for guided operations.
• Offers flags-based mode for efficient, direct commands.
• Simplifies and speeds up data management tasks.

• Independent Checks: Each check operates independently, with its own dedicated tests, generating alerts, tasks, and evaluation summaries for projects and the foundation's global status.
• JSON Export: Results are exported in JSON format for easy integration.
• Custom Evaluations: Checks can be composed for custom campaigns, like focusing on User Authentication compliance.
• Aligned with Standards: Checks are similar to OSSF Scorecard ensuring consistency and reliability.

Check Points

Check Points

You can find review examples like checkNpmMfaEnabled, checkOwaspTop10Training, checkSecureSoftwareDesignTraining or webCommitSignOff

Reports

• Template-Based Reports: Generated using the available data and customizable templates.
• High Customization: Reports can be tailored to specific needs.
• Flexible Formats: Generate reports in various formats, from markdown files to interactive, high-detail websites.
• Viewer-Centric: Reports are designed based on viewer needs, including more or less information as required.
• Integrated Notifications: Alerts can notify maintainers directly via GitHub issues, ensuring visibility and prompt action.
• Beyond Reporting: Alerts and tasks can also be represented alongside reports.

DEMO TIME

Next Steps

The future

• Validate: Gather feedback from Pilot participants on the new approach.
• Enhance Checks: Continuously add more validation checks.
• Expand Data Sources: Integrate additional data sources.
• Automate: Add GitHub Actions triggers for automated data pulling and reporting.
• Build Dashboards: Develop a comprehensive dashboard with key information.
• Mitigation Scripts: Explore and implement scripts to resolve issues automatically.
• Alert Management: Create a system to handle known alerts efficiently.