Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ The following Technical Initiatives have been approved by the TAC. You may learn
| Model signing | [GitHub](https://github.com/sigstore/model-transparency/blob/main/README.model_signing.md) | | AI/ML Security WG | [Sandbox](process/project-lifecycle-documents/model_signing_sandbox_stage.md) |
| SAFE-Framework | [GitHub](https://github.com/SAFE-MCP/safe-mcp) | | AI/ML Security WG | [Sandbox](process/project-lifecycle-documents/safe_framework_sandbox_stage.md) |
| Package Analysis | [GitHub](https://github.com/ossf/package-analysis) | | Securing Software Repositories WG | TBD |
| Privateer | [GitHub](https://github.com/privateerproj/privateer) | https://privateerproj.com | ORBIT WG | [Sandbox](process/project-lifecycle-documents/Privateer_sandbox_stage.md) |
| Protobom | [GitHub](https://github.com/protobom/protobom) | | Security Tooling WG | [Sandbox](process/project-lifecycle-documents/protobom_sandbox_stage.md) |
| Repository Service for TUF | [GitHub](https://github.com/repository-service-tuf/repository-service-tuf) | https://repository-service-tuf.readthedocs.io/ | Securing Software Repositories WG | [Incubating](process/project-lifecycle-documents/repository_service_for_tuf_incubation_stage.md) |
| S2C2F | [GitHub](https://github.com/ossf/s2c2f) | | Supply Chain Integrity WG | [Incubating](process/project-lifecycle-documents/s2c2f_incubation_stage.md) |
Expand Down
61 changes: 61 additions & 0 deletions process/project-lifecycle-documents/Privateer_sandbox_stage.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
## Application for creating a new project at Sandbox stage

### List of project maintainers

The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.

* Eddie Knight, Revanite, [@eddie-knight](https://github.com/eddie-knight)
* Jason Meridth, Revanite, [@jmeridth](https://github.com/jmeridth)
* Vinaya Damle, Microsoft, [@vinayada1](https://github.com/vinayada1)

### Sponsor

Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.

* ORBIT Working Group

### Mission of the project

The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.

Privateer is a plugin-based framework for security and compliance validation of deployed systems. Its CLI, `pvtr`, actively interacts with software resources to verify that systems behave as expected, testing from both normal user and attacker perspectives to identify security vulnerabilities and misconfigurations that static analysis might miss.

Privateer orchestrates plugin-based tests and provides consistent, machine-readable output according to the [Gemara](https://gemara.openssf.org) specification. This structure allows any number of resources to be subject to any number of assessment requirements, enabling community-driven and organization-specific compliance validation at scale.

The project provides a novel approach to accelerate the development of security and compliance evaluators. It provides a neutral, extensible validation framework that can execute security and compliance checks against deployed software or configurations using community-maintained plugin catalogs. Existing users include the FINOS Common Cloud Controls project, the OpenSSF ORBIT initiative (via the [GitHub repo scanner plugin](https://github.com/ossf/pvtr-github-repo-scanner)), and LFX Insights for scanning CNCF projects against the OpenSSF Baseline.

### Alignment with the OpenSSF MVSSR

The mission of the Project must be aligned with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/) of the OpenSSF. Please indicate to which of the three strategies and four pillars of the OpenSSF the Project contributes to.

**Strategies:**

* *Catalyst for Change* - Privateer provides a concrete, actionable tool for organizations to validate their security posture against published control catalogs (such as the OpenSSF Baseline and FINOS Common Cloud Controls). By making compliance validation automated and accessible, it lowers the barrier for projects to adopt security best practices.

* *Ecosystem Leader* - Privateer's plugin architecture enables the OpenSSF and broader community to define, publish, and execute security validation tools in a consistent format. It serves as the runtime engine behind the OpenSSF ORBIT Working Group's GitHub repository scanner and the Baseline initiative, directly advancing the OpenSSF's leadership in defining and operationalizing software supply chain security standards.

**Pillars:**

* *Programs & Projects* - Privateer is already actively used within OpenSSF programs (ORBIT, Baseline) and Linux Foundation projects (FINOS CCC, LFX Insights). Bringing it under OpenSSF governance formalizes this relationship and ensures continuity.

### IP policy and licensing due diligence

When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

Yes - IP and license due diligence will be required. The project is currently licensed under Apache 2.0. The contribution will need to go through LF Legal for IP transfer as outlined in the [contribution plan](https://github.com/privateerproj/privateer/issues/271). Tracking issue: https://github.com/ossf/tac/issues/629

### Project References

The project should provide a list of existing resources with links to the repository, and if available, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.

| Reference | URL |
|-----------|-----|
| Repo | https://github.com/privateerproj/privateer |
| Website | https://privateerproj.com |
| Contributing guide | https://github.com/privateerproj/privateer/blob/main/.github/CONTRIBUTING.md |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| Contributing guide | https://github.com/privateerproj/privateer/blob/main/.github/CONTRIBUTING.md |
| Contributing guide | https://github.com/privateerproj/privateer/blob/main/CONTRIBUTING.md |

Minor: fixing link

| Security.md | https://github.com/privateerproj/.github/blob/main/.github/SECURITY.md |

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't see a SECURITY.md in the repo?

| SDK | https://github.com/privateerproj/privateer-sdk |
| Plugin Example | https://github.com/privateerproj/plugin-example |
| ORBIT Scanner | https://github.com/ossf/pvtr-github-repo-scanner |
| Gemara Spec | https://gemara.openssf.org |
| Contribution Proposal | https://github.com/privateerproj/privateer/issues/271 |