Supply chain attacks are on the rise. Open source maintainers must take action to mitigate the risk of compromise by commensurably securing the build infrastructure of their projects.

To help mitigate the impact of these attacks, the CNCF TAG Security group has created the CNCF Software Supply Chain Security Best Practices and the corresponding Secure Software Factory reference architecture. The goal of CNCF TAG Security’s Supply Chain Security WG is to help open source organizations and projects evaluate gaps in their current software supply chain and provide a path forward to remediate based on the best practices and reference architecture.

As part of a concerted effort from the CNCF to help maintainers bridge this gap, TAG Security is conducting this survey as a first step to develop deeper understanding the set of supply chain challenges to overcome that  projects maintainers are confronted by, in order from there to formulate how to best engage and help.

These questions refer to your organization or project:

Question Title

* 1. Which project are you filling the survey for? (please provide a link to the project/repo)

Question Title

* 2. When you refer to supply chain security within your organization or project, which of the following most closely matches what you mean: 

Question Title

* 3. What are the preventative steps you have taken in your project for supply chain security?

Question Title

* 4. What tools do you use in securing and orchestrating your supply chain?

Question Title

* 5. What are the tools and technologies you use for the above?

Question Title

* 6. What motivates you to secure your end to end supply chain pipeline?

Question Title

* 7. Do you have a process in place to handle supply chain security incidents?

Question Title

* 8. Would you be interested in joining a pilot program for the CNCF Supply Chain Security WG to provide you recommendations and guidelines on how the project can align with?

Question Title

* 9. If yes, how many hours per week could your project dedicate to supply chain security engineering?

Question Title

* 10. What does your stack look like? e.g. languages, major frameworks

Question Title

* 11. How large is the project? Please give them number of git clones and visitors to the page

Question Title

* 12. How large is the project? Number of maintainers

Question Title

* 13. What else could the CNCF Security TAG be doing to help you secure your supply chain?

T