From c594b3a8e2c3d5c41c2eb4fd940a8bff5ea6d824 Mon Sep 17 00:00:00 2001 From: jmeridth Date: Tue, 30 Jun 2026 14:33:13 -0500 Subject: [PATCH 1/2] feat: add Privateer sandbox stage application Signed-off-by: jmeridth --- README.md | 1 + .../Privateer_sandbox_stage.md | 61 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 process/project-lifecycle-documents/Privateer_sandbox_stage.md diff --git a/README.md b/README.md index eadbf4db..2ee171b7 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ The following Technical Initiatives have been approved by the TAC. You may learn | Model signing | [GitHub](https://github.com/sigstore/model-transparency/blob/main/README.model_signing.md) | | AI/ML Security WG | [Sandbox](process/project-lifecycle-documents/model_signing_sandbox_stage.md) | | SAFE-Framework | [GitHub](https://github.com/SAFE-MCP/safe-mcp) | | AI/ML Security WG | [Sandbox](process/project-lifecycle-documents/safe_framework_sandbox_stage.md) | | Package Analysis | [GitHub](https://github.com/ossf/package-analysis) | | Securing Software Repositories WG | TBD | +| Privateer | [GitHub](https://github.com/privateerproj/privateer) | https://privateerproj.com | ORBIT WG | [Sandbox](process/project-lifecycle-documents/Privateer_sandbox_stage.md) | | Protobom | [GitHub](https://github.com/protobom/protobom) | | Security Tooling WG | [Sandbox](process/project-lifecycle-documents/protobom_sandbox_stage.md) | | Repository Service for TUF | [GitHub](https://github.com/repository-service-tuf/repository-service-tuf) | https://repository-service-tuf.readthedocs.io/ | Securing Software Repositories WG | [Incubating](process/project-lifecycle-documents/repository_service_for_tuf_incubation_stage.md) | | S2C2F | [GitHub](https://github.com/ossf/s2c2f) | | Supply Chain Integrity WG | [Incubating](process/project-lifecycle-documents/s2c2f_incubation_stage.md) | diff --git a/process/project-lifecycle-documents/Privateer_sandbox_stage.md b/process/project-lifecycle-documents/Privateer_sandbox_stage.md new file mode 100644 index 00000000..afa2fda4 --- /dev/null +++ b/process/project-lifecycle-documents/Privateer_sandbox_stage.md @@ -0,0 +1,61 @@ +## Application for creating a new project at Sandbox stage + +### List of project maintainers + +The project must have a minimum of three maintainers with a minimum of two different organizational affiliations. + +* Eddie Knight, Revanite, [@eddie-knight](https://github.com/eddie-knight) +* Jason Meridth, Revanite, [@jmeridth](https://github.com/jmeridth) +* Vinaya Damle, Microsoft, [@vinayada1](https://github.com/vinayada1) + +### Sponsor + +Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to. + +* ORBIT Working Group + +### Mission of the project + +The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project. + +Privateer is a plugin-based framework for security and compliance validation of deployed systems. Its CLI, `pvtr`, actively interacts with software resources to verify that systems behave as expected, testing from both normal user and attacker perspectives to identify security vulnerabilities and misconfigurations that static analysis might miss. + +Privateer orchestrates plugin-based tests and provides consistent, machine-readable output according to the [Gemara](https://gemara.openssf.org) specification. This structure allows any number of resources to be subject to any number of assessment requirements, enabling community-driven and organization-specific compliance validation at scale. + +The project addresses an unfulfilled need in the open source security ecosystem: a neutral, extensible validation framework that can execute security and compliance checks against deployed software or configurations using community-maintained plugin catalogs. Existing users include the FINOS Common Cloud Controls project, the OpenSSF ORBIT initiative (via the [GitHub repo scanner plugin](https://github.com/ossf/pvtr-github-repo-scanner)), and LFX Insights for scanning CNCF projects against the OpenSSF Baseline. + +### Alignment with the OpenSSF MVSSR + +The mission of the Project must be aligned with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/) of the OpenSSF. Please indicate to which of the three strategies and four pillars of the OpenSSF the Project contributes to. + +**Strategies:** + +* *Catalyst for Change* - Privateer provides a concrete, actionable tool for organizations to validate their security posture against published control catalogs (such as the OpenSSF Baseline and FINOS Common Cloud Controls). By making compliance validation automated and accessible, it lowers the barrier for projects to adopt security best practices. + +* *Ecosystem Leader* - Privateer's plugin architecture enables the OpenSSF and broader community to define, publish, and execute security validation tools in a consistent format. It serves as the runtime engine behind the OpenSSF ORBIT Working Group's GitHub repository scanner and the Baseline initiative, directly advancing the OpenSSF's leadership in defining and operationalizing software supply chain security standards. + +**Pillars:** + +* *Programs & Projects* - Privateer is already actively used within OpenSSF programs (ORBIT, Baseline) and Linux Foundation projects (FINOS CCC, LFX Insights). Bringing it under OpenSSF governance formalizes this relationship and ensures continuity. + +### IP policy and licensing due diligence + +When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). + +Yes - IP and license due diligence will be required. The project is currently licensed under Apache 2.0. The contribution will need to go through LF Legal for IP transfer as outlined in the [contribution plan](https://github.com/privateerproj/privateer/issues/271). Tracking issue: https://github.com/ossf/tac/issues/629 + +### Project References + +The project should provide a list of existing resources with links to the repository, and if available, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project. + +| Reference | URL | +|-----------|-----| +| Repo | https://github.com/privateerproj/privateer | +| Website | https://privateerproj.com | +| Contributing guide | https://github.com/privateerproj/privateer/blob/main/.github/CONTRIBUTING.md | +| Security.md | https://github.com/privateerproj/.github/blob/main/.github/SECURITY.md | +| SDK | https://github.com/privateerproj/privateer-sdk | +| Plugin Example | https://github.com/privateerproj/plugin-example | +| ORBIT Scanner | https://github.com/ossf/pvtr-github-repo-scanner | +| Gemara Spec | https://gemara.openssf.org | +| Contribution Proposal | https://github.com/privateerproj/privateer/issues/271 | From b616a86d044eebc295c1ae17a802b9591296ce0c Mon Sep 17 00:00:00 2001 From: Jason Meridth Date: Tue, 7 Jul 2026 10:49:52 -0500 Subject: [PATCH 2/2] Update process/project-lifecycle-documents/Privateer_sandbox_stage.md Co-authored-by: Eddie Knight Signed-off-by: Jason Meridth --- process/project-lifecycle-documents/Privateer_sandbox_stage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process/project-lifecycle-documents/Privateer_sandbox_stage.md b/process/project-lifecycle-documents/Privateer_sandbox_stage.md index afa2fda4..d9ac498d 100644 --- a/process/project-lifecycle-documents/Privateer_sandbox_stage.md +++ b/process/project-lifecycle-documents/Privateer_sandbox_stage.md @@ -22,7 +22,7 @@ Privateer is a plugin-based framework for security and compliance validation of Privateer orchestrates plugin-based tests and provides consistent, machine-readable output according to the [Gemara](https://gemara.openssf.org) specification. This structure allows any number of resources to be subject to any number of assessment requirements, enabling community-driven and organization-specific compliance validation at scale. -The project addresses an unfulfilled need in the open source security ecosystem: a neutral, extensible validation framework that can execute security and compliance checks against deployed software or configurations using community-maintained plugin catalogs. Existing users include the FINOS Common Cloud Controls project, the OpenSSF ORBIT initiative (via the [GitHub repo scanner plugin](https://github.com/ossf/pvtr-github-repo-scanner)), and LFX Insights for scanning CNCF projects against the OpenSSF Baseline. +The project provides a novel approach to accelerate the development of security and compliance evaluators. It provides a neutral, extensible validation framework that can execute security and compliance checks against deployed software or configurations using community-maintained plugin catalogs. Existing users include the FINOS Common Cloud Controls project, the OpenSSF ORBIT initiative (via the [GitHub repo scanner plugin](https://github.com/ossf/pvtr-github-repo-scanner)), and LFX Insights for scanning CNCF projects against the OpenSSF Baseline. ### Alignment with the OpenSSF MVSSR