As U.S. government requirements for software providers increase, many organizations are faced with calls to document the secure software development processes for all components of the software they publish. These calls for providing proof of compliance, often called attestations, are part of the U.S. government's effort to improve the nation's cybersecurity in response to high-profile cybersecurity events such as the SolarWinds proprietary software hack and the Log4Shell open source software supply chain incident.
Tidelift aims to make documenting the secure software development processes of your open source dependencies easier via open source attestation reports.
What are attestation reports, and what do they look like?
Tidelift delivers attestation reports that, for each open source dependency, returns an attestation statement that describes the open source development practices of that dependency.
Attestation reports and statements are delivered according to the TACOS specification. An attestation report will contain the basic metadata for the project, or application, the report was generated for as well as when the report was generated. Then, for each dependency, there will be a TACOS-formatted attestation statement that describes how the package adheres to a number of secure software development checks.
The secure software development checks in the attestation reports are intended to fill the requirements laid out by Executive Order 14028 of the United States Government and the NIST Secure Software Delivery Framework (SSDF) V1.1.
How do I access attestation reports?
Attestation reports are generated automatically for projects in Tidelift when an alignment is performed.
For the latest alignment on the default branch, an attestation report can be downloaded from the project overview page.
To download the attestation report for a different revision or alignment, choose a specific alignment from the alignment list and click on the “Bill of materials” link. Click the EXPORT button and choose the “Attestation report” item.
Attestation reports can also be downloaded via the Tidelift API.