What Is This?
The OpenChain Security Assurance Specification defines the key requirements of a quality open source security assurance program.
What Does It Do?
The OpenChain Security Assurance Specification helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts.
It identifies:
- The key places to have security processes
- How to assign roles and responsibilities
- And how to ensure sustainability of the processes
The OpenChain Security Assurance Specification 1.1 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources.
Get the Current Standard
Adopt the Standard
Report Your Adoption
Past Versions of the Standard
History
This specification is built from the Security Assurance Reference Guide. It went through a final approval process via editing on our specification list and calls, before graduating to a governing board vote to transform into a published security specification on 2022-09-14.
Improving The OpenChain Security Assurance Specification
The OpenChain Security Assurance Specification 1.1, the industry standard for open source security assurance, is available for everyone to review, adopt and to submit suggestions for improvement. We collect these comments on the OpenChain Security Assurance Specification GitHub Repository. You can add your comments in the “Issues” section.
You can also send questions and feedback to the mailing list or by email to the OpenChain Project administration team if you prefer to remain anonymous.