In addition to identifying and working with relevant topics, the Software Supply Chain Security (SSCS) SIG will take a practice oriented approach by implementing proof of concepts and sample pipelines using various CI/CD technologies and tools to highlight how such tools could be used in a Software Supply Chain, how good practices could be employed and what kind of opportunities there are. A critical requirement for success is collaboration between DevOps practitioners and CDF hosted projects such as Tekton and Jenkins. Additionally, collaborating with the existing CDF SIGs including but not limited to Interoperability, Events, and Best Practices is critical for the SIG since some of the topics driven by these SIGs such as metadata standardization and events are relevant for the topics this SIG will work on, such as SBOMs and notification of vulnerabilities. The Software Supply Chain SIG will also look for synergies between CDF and other communities such as OpenSSF and projects and working groups hosted by it such as Sigstore, SLSA, Security Tooling WG, and Supply Chain Integrity WG to ensure CI/CD aspects are not overlooked.
