...
- Secure the commit process to prevent unauthorized code from being included in an open source project
- Digitally sign all code produced by the project using an X.509 code signing cert issued by a public certificate authority (CA).
- The Linux Foundation has a secure signing process.
- Create an SBOM for each application produced by a project team.
- Use SPDX, CycloneDX or SWID for SBOM format.
- Digitally sign the SBOM with an x.509 signing certification issued by a public CA.
- SBOMs can be automatically generated in the CI/CD pipeline using a software composition analysis tool.
...