<ciso brief/>
Tag Banner

All news with #sca tag

all tags →

Mon, August 4, 2025

OSS Rebuild: Reproducible Builds to Harden Open Source

#CI/CD Security #Content Provenance #Crates.io #Google #npm #PyPI #Reproducible Builds #SBOM #SCA #Supply Chain Backdoor

🔐 Google’s Open Source Security Team today announced OSS Rebuild, a new project to reproduce upstream artifacts and supply SLSA-grade provenance for popular package ecosystems. The service automates declarative build definitions and reproducible builds for PyPI, npm, and Crates.io, generating attestations that meet SLSA Build Level 3 requirements without requiring publisher changes. Security teams can use the project to verify published artifacts, detect unexpected embedded source or build-time compromises, and integrate the resulting provenance into vulnerability response workflows. The project is available as a hosted data set and as open-source tooling and infrastructure for organizations to run their own rebuild pipelines.

read more →

Tue, April 1, 2025

Building Resilient ICT Supply Chains: Supply Chain Month

#Hardware BOM #Regulatory Action #SBOM #SCA #Supply Chain Backdoor #Threat Report

🔒 This April, CISA highlights the 8th annual Supply Chain Integrity Month focused on strengthening the resilience of global information and communications technology (ICT) supply chains. The agency promotes four weekly themes—Preparedness, Mitigation, Trust, and Transparency—and showcases practical resources such as the Supply Chain Risk Management Essentials and Threat Scenarios Report. CISA also emphasizes vendor evaluation with the Vendor SCRM Template, hardware transparency via the HBOM Framework, and consolidated software guidance to help organizations assess, mitigate, and communicate ICT supply chain risks.

read more →