Merge pull request #341 from salaxander/zarf_sandbox

add zarf as an openssf sandbox project
ossf · Jun 20, 2024 · 629838b · 629838b
2 parents 18134b3 + 37b1a57
commit 629838b
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -87,6 +87,7 @@ The following Technical Initiatives have been approved by the TAC. You may learn
 | Sigstore               | https://github.com/sigstore                      | [Meeting Notes](https://docs.google.com/document/d/1bsl-Y0KulSD7O_nTekad1sAKOVRb80wyGb-Q5x-zdg0/edit) | OpenSSF TAC    | [Graduated](process/project-lifecycle-documents/sigstore_graduated_stage.md)        |
 | SLSA                   | https://github.com/slsa-framework/slsa | [Meeting Notes](https://docs.google.com/document/d/1PwhekVB1iDpcgCQRNVN_aesoVdOiTruoebCs896aGxw/edit#heading=h.gjdgxs) | Supply Chain Integrity WG   | TBD        |
 | SLSA Tooling           | https://github.com/ossf/wg-supply-chain-integrity/blob/main/slsa-tooling.md | [Meeting Notes](https://docs.google.com/document/d/18oj3CLJQhZj1dMHKDTq_1kKg0syysKCS7pLyXlw1SRc/edit#heading=h.yfiy9b23vayj) | Supply Chain Integrity WG   | TBD        |
+| Zarf          | https://github.com/defenseunicorns/zarf | [Meeting Notes](https://docs.google.com/document/d/1Ww5XOICluxIY_bAsyVieLe9GU9FpXJ3LwSCZxqOSLaM/edit#heading=h.wq25h5ks8vsu) | Supply Chain Integrity WG   | [Sandbox](process/project-lifecycle-documents/zarf_sandbox_stage.md)       |
 
 ### OpenSSF affiliated projects
 

diff --git a/process/project-lifecycle-documents/zarf_sandbox_stage.md b/process/project-lifecycle-documents/zarf_sandbox_stage.md
@@ -0,0 +1,65 @@
+## Application for creating a new project at Sandbox stage
+
+### List of project maintainers
+The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.
+  * Sarah Christoff, Defense Unicorns, @sscristoff-du
+  * Austin Abro, Defense Unicorns, @AustinAbro321
+  * Lucas Rodriguez, Defense Unicorns, @lucasrod16
+  * Danny Gershman, Radius Method, @dgershman
+
+### Sponsor
+Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.
+  * WG Supply Chain Integrity
+
+### Mission of the project
+The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.
+
+  * Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.
+
+### IP policy and licensing due diligence
+When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).
+
+LF License Intake Scan Report:
+
+LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: Zarf
+DISTRIBUTION: Amanda Martin, #341
+
+This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can use SNYK to view a dependency scan for both licenses and vulnerabilities.
+CODE SCANNED: [pulled 19–JUNE-2024]
+https://github.com/defenseunicorns/zarf
+
+PROJECT LICENSE: Apache-2.0
+
+Top level project license file found in repo
+SPDX LICENSE IDENTIFIERS: SPDX license identifiers were found in source file headers.
+
+PERMISSIVE LICENSES: Apache-2.0
+
+COPYLEFT LICENSES: None found
+
+SOURCE AVAILABLE LICENSES: None found
+
+PROPRIETARY LICENSES: None found
+
+LICENSE CONFLICTS: None found
+
+BINARY / PACKAGE FILES: None found
+
+THIRD PARTY CODE / DEPENDENCIES: None found
+
+THIRD PARTY NOTICE FILE: None found
+
+SUMMARY FINDINGS: All of the scanned code is under the project license, Apache-2.0. SPDX license identifiers were found in source file headers. No license conflicts found. No dependencies or third party code detected in repo.
+
+### Project References
+The project should provide a list of existing resources with links to the repository, and if available, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.
+
+| Reference           | URL                                                                                                |
+|---------------------|----------------------------------------------------------------------------------------------------|
+| Repo                | https://github.com/defenseunicorns/zarf                                                            |
+| Website             | https://zarf.dev                                                                                   |
+| Contributing guide  | https://github.com/defenseunicorns/zarf/blob/main/.github/CONTRIBUTING.md                          |
+| Security.md         | https://github.com/defenseunicorns/zarf/blob/main/.github/SECURITY.md                              |
+| Roadmap             | https://docs.zarf.dev/docs/roadmap                                                                 |
+| Demos               | https://youtu.be/CBJ3HYV4UoU?si=g2Hx76Zil_kGxdan, https://youtu.be/zur-TjemtcA?si=krcJjBcWncrT4V03 |
+| Other               | [System76 podcast](https://pca.st/dztuzwe3)                                                        |