SSSC Assessment Template
This template defines the standard structure for supply chain security assessment documents.
Template Structure
# SSSC Assessment - [Project Name]
## Preamble
_Important to note:_ This supply chain security assessment cannot certify or attest to the complete security of a software supply chain. This document is intended to help produce supply chain security-focused backlog items, map current posture against OpenSSF standards, and document improvement projections.
## Project Overview
| Field | Value |
|--------------------|-----------------------------------------|
| Repository | [Repository URL] |
| Technology Stack | [Languages, frameworks, runtimes] |
| CI/CD Platform | [GitHub Actions, Azure Pipelines, etc.] |
| Package Ecosystems | [npm, PyPI, NuGet, etc.] |
| Deployment Targets | [Cloud, edge, on-premises] |
| Assessment Date | [YYYY-MM-DD] |
## Supply Chain Capability Inventory
### Summary
- Covered: [count]/27
- Partial: [count]/27
- Gap: [count]/27
- N/A: [count]/27
### hve-core Unique Capabilities
| # | Capability | Status | Evidence |
|---|--------------------------------------|---------|-------------------------------|
| 1 | pip-audit | [✅⚠️❌➖] | [File paths, workflow names] |
| 2 | Action version consistency | [✅⚠️❌➖] | [File paths, workflow names] |
| 3 | Automated SHA pinning updates | [✅⚠️❌➖] | [File paths, script names] |
| 4 | Consolidated weekly security summary | [✅⚠️❌➖] | [Reporting mechanism] |
| 5 | Get-VerifiedDownload.ps1 | [✅⚠️❌➖] | [Script path, usage evidence] |
| 6 | Security workflow orchestration | [✅⚠️❌➖] | [Workflow paths] |
### physical-ai-toolchain Unique Capabilities
| # | Capability | Status | Evidence |
|----|---------------------------------------|---------|--------------------------------|
| 7 | SBOM generation | [✅⚠️❌➖] | [Workflow path, output format] |
| 8 | Sigstore signing | [✅⚠️❌➖] | [Signing configuration] |
| 9 | DAST/ZAP | [✅⚠️❌➖] | [Scan configuration] |
| 10 | Dual attestation | [✅⚠️❌➖] | [Attestation workflow paths] |
| 11 | Stale docs → issue | [✅⚠️❌➖] | [Automation configuration] |
| 12 | OpenSSF Best Practices badge | [✅⚠️❌➖] | [Badge enrollment status] |
| 13 | Dependabot security prefix enrichment | [✅⚠️❌➖] | [Enrichment workflow path] |
| 14 | Comprehensive threat model | [✅⚠️❌➖] | [Threat model document path] |
| 15 | release-please pipeline | [✅⚠️❌➖] | [Release workflow path] |
| 16 | Vulnerability SLA | [✅⚠️❌➖] | [SLA documentation path] |
### Shared Capabilities
| # | Capability | Status | Evidence |
|----|----------------------|---------|----------------------------------|
| 17 | Dependency pinning | [✅⚠️❌➖] | [Scan workflow, script paths] |
| 18 | SHA staleness | [✅⚠️❌➖] | [Check configuration] |
| 19 | gitleaks | [✅⚠️❌➖] | [Workflow path] |
| 20 | CodeQL | [✅⚠️❌➖] | [Workflow path, languages] |
| 21 | Dependency review | [✅⚠️❌➖] | [Workflow path] |
| 22 | OpenSSF Scorecard | [✅⚠️❌➖] | [Workflow path, schedule] |
| 23 | Workflow permissions | [✅⚠️❌➖] | [Script path, validation method] |
| 24 | Copyright headers | [✅⚠️❌➖] | [Validation script path] |
| 25 | Dependabot | [✅⚠️❌➖] | [Configuration file, ecosystems] |
| 26 | SECURITY.md | [✅⚠️❌➖] | [File path, reporting process] |
| 27 | CODEOWNERS | [✅⚠️❌➖] | [File path, review enforcement] |
## Standards Mapping
### OpenSSF Scorecard
| # | Check | Risk | Current Score | Evidence | Gap |
|----|------------------------|----------|---------------|------------|-----------------------------|
| 1 | Binary-Artifacts | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 2 | Branch-Protection | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 3 | CI-Tests | Low | [0–10] | [Evidence] | [Gap description or "None"] |
| 4 | CII-Best-Practices | Low | [0–10] | [Evidence] | [Gap description or "None"] |
| 5 | Code-Review | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 6 | Contributors | Low | [0–10] | [Evidence] | [Gap description or "None"] |
| 7 | Dangerous-Workflow | Critical | [0/10] | [Evidence] | [Gap description or "None"] |
| 8 | Dependency-Update-Tool | High | [0/10] | [Evidence] | [Gap description or "None"] |
| 9 | Fuzzing | Medium | [0/10] | [Evidence] | [Gap description or "None"] |
| 10 | License | Low | [0/10] | [Evidence] | [Gap description or "None"] |
| 11 | Maintained | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 12 | Packaging | Medium | [0/10] | [Evidence] | [Gap description or "None"] |
| 13 | Pinned-Dependencies | Medium | [0–10] | [Evidence] | [Gap description or "None"] |
| 14 | SAST | Medium | [0–10] | [Evidence] | [Gap description or "None"] |
| 15 | SBOM | Medium | [0–10] | [Evidence] | [Gap description or "None"] |
| 16 | Security-Policy | Medium | [0/10] | [Evidence] | [Gap description or "None"] |
| 17 | Signed-Releases | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 18 | Token-Permissions | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 19 | Vulnerabilities | High | [0–10] | [Evidence] | [Gap description or "None"] |
| 20 | Webhooks | Critical | [0/10] | [Evidence] | [Gap description or "None"] |
### SLSA Build Track
| Level | Requirements | Current State |
|----------|---------------------------------------------------|-----------------------------|
| Build L0 | No requirements | [Baseline] |
| Build L1 | Provenance exists and is distributed to consumers | [Assessment of L1 criteria] |
| Build L2 | Hosted build platform, signed provenance | [Assessment of L2 criteria] |
| Build L3 | Build runs in isolation, signing key isolation | [Assessment of L3 criteria] |
**Current level:** [Build L0/L1/L2/L3]
**Target level:** [Build L0/L1/L2/L3]
**Steps to advance:** [Description of steps needed to reach target level]
### Best Practices Badge
| Tier | Focus | Readiness |
|---------|-----------------------------|------------------------------------|
| Passing | Basic hygiene (67 criteria) | [Assessment of criteria readiness] |
| Silver | Governance + quality | [Assessment of criteria readiness] |
| Gold | Advanced security | [Assessment of criteria readiness] |
**Current tier:** [Not enrolled/Passing/Silver/Gold]
**Target tier:** [Passing/Silver/Gold]
**Missing criteria:** [List of missing criteria]
### Sigstore Maturity
| Level | Criteria | Current State |
|--------------|------------------------------------------------------------|---------------|
| Not adopted | No signing or attestation in place | [Assessment] |
| Basic | Build provenance via `actions/attest-build-provenance` | [Assessment] |
| Intermediate | Build provenance + SBOM attestation via `actions/attest` | [Assessment] |
| Advanced | Tag signing via gitsign + provenance + SBOM + verification | [Assessment] |
**Current level:** [Not adopted/Basic/Intermediate/Advanced]
**Target level:** [Basic/Intermediate/Advanced]
### SBOM Compliance
| Element | Current State |
|----------------------|-------------------------------------------------|
| Format | [SPDX-JSON, CycloneDX, or None] |
| Generator | [anchore/sbom-action, MS SBOM Tool, or None] |
| Distribution | [Release attachment, dependency graph, or None] |
| NTIA: Supplier | [Present/Absent] |
| NTIA: Component Name | [Present/Absent] |
| NTIA: Version | [Present/Absent] |
| NTIA: Unique ID | [Present/Absent] |
| NTIA: Dependencies | [Present/Absent] |
| NTIA: Author | [Present/Absent] |
| NTIA: Timestamp | [Present/Absent] |
## Gap Analysis
| Gap | Scorecard Check | Risk | Current State | Target State | Adoption Type | Effort | Reference |
|---------------|-----------------|---------|---------------|--------------|---------------------|------------|---------------------------|
| [Description] | [Check name] | [Level] | [Current] | [Target] | [Adoption category] | [S/M/L/XL] | [Workflow or script path] |
### Adoption Categories
| Category | Description |
|----------------------------|-------------------------------------------------------|
| Reusable Workflow Adoption | Reference an hve-core workflow via `uses:` |
| Workflow Copy/Modify | Copy and adapt a workflow to the target repository |
| Reusable Workflow + Script | Adopt both a reusable workflow and supporting scripts |
| Platform Configuration | GitHub or Azure DevOps settings via UI or API |
| New Capability | Build something not available in existing toolchains |
| N/A / Organic | Not actionable; improves through natural activity |
## Improvement Projections
### Scorecard Projection
| # | Check | Risk | Current Score | Projected Score | Related Work Items |
|----|------------------------|----------|---------------|-----------------|--------------------|
| 1 | Binary-Artifacts | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 2 | Branch-Protection | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 3 | CI-Tests | Low | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 4 | CII-Best-Practices | Low | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 5 | Code-Review | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 6 | Contributors | Low | [Current]/10 | [Projected]/10 | N/A |
| 7 | Dangerous-Workflow | Critical | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 8 | Dependency-Update-Tool | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 9 | Fuzzing | Medium | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 10 | License | Low | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 11 | Maintained | High | [Current]/10 | [Projected]/10 | N/A |
| 12 | Packaging | Medium | [Current]/10 | [Projected]/10 | N/A |
| 13 | Pinned-Dependencies | Medium | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 14 | SAST | Medium | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 15 | SBOM | Medium | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 16 | Security-Policy | Medium | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 17 | Signed-Releases | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 18 | Token-Permissions | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 19 | Vulnerabilities | High | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
| 20 | Webhooks | Critical | [Current]/10 | [Projected]/10 | [WI-SSSC-NNN] |
**Estimated overall score:** [Current total] → [Projected total] out of 200
### SLSA Assessment
| Field | Value |
|-----------------|----------------------------------|
| Current level | Build L[0/1/2/3] |
| Projected level | Build L[0/1/2/3] |
| Remaining steps | [Steps needed beyond work items] |
### Badge Readiness
| Field | Value |
|---------------------|------------------------------------|
| Current readiness | [Not enrolled/Passing/Silver/Gold] |
| Projected readiness | [Passing/Silver/Gold] |
| Missing criteria | [List of criteria still unmet] |
## Backlog Items
### [P1] [Work Item Title]
**Scorecard Check:** [Check name] | **Risk:** [Critical/High/Medium/Low]
**Effort:** [S/M/L/XL] | **Adoption Type:** [Category]
**Prerequisite:** [WI-SSSC-NNN or "None"]
#### Description
[What needs to be done and why — include the security benefit]
#### Adoption Steps
1. [Concrete step with file path or workflow reference]
2. [Next step]
#### Acceptance Criteria
- [ ] [Verifiable criterion]
- [ ] [Verifiable criterion]
#### ADO Mapping
- Type: [Epic/Feature/User Story/Task]
- Tags: supply-chain, ossf, [scorecard-check], [adoption-type]
#### GitHub Mapping
- Labels: supply-chain, ossf, [scorecard-check], [adoption-type]
- Milestone: [Milestone name]
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.