Linux Foundation adds software supply chain security to LFX

“LFX supports projects and empowers open source teams by enabling them to write better, more secure code, drive engagement, and grow sustainable software ecosystems,” the Linux Foundation says. Now, to address the growing threat of software supply chain attacks, the foundation is upgrading its LFX Security module to deal with these attacks.

Jim Zemlin, the Linux Foundation’s executive director, announced this new tooling today at the Linux Foundation Membership Summit. 

Enhanced and free to use, LFX Security makes it easier for open source projects to secure their code. Specifically, the LFX Security module now includes automatic scanning for secrets-in-code and non-inclusive language, adding to its existing automated vulnerability detection capabilities. Software security firm BluBracket is contributing this functionality to the LFX as part of its mission to make software safer and more secure. This functionality builds on contributions from open source developer security company Snyk, helping make LFX the leading vulnerability detection platform for the open source community.

LFX Security now includes:

Vulnerabilities Detection: LFX tracks how many known vulnerabilities have been found in open source programs; identifies vulnerabilities that have already been fixed; and then reports on the number of fixes per project through an intuitive dashboard. Fixing known open source vulnerabilities in open source projects helps cleanse software supply chains at their source, greatly enhancing the quality and security of code further downstream in development pipelines. Snyk provides this functionality for the community and has helped open source software projects remediate nearly 12,000 known security vulnerabilities in their code.

Code Secrets Detection: BluBracket’s contributions detect secrets-in-code, such as passwords, credentials, keys, and access tokens both pre-and post-commit. Left untouched, these secrets are used by hackers to gain entry into repositories and other important code infrastructure. 

Non-Inclusive Language Detection: BluBracket’s contributions also include the ability to detect non-inclusive and offensive language in project code. This language, which may have been accepted in earlier generations, is no longer a joke. It can stop users/developers from using the code and ultimately serves as a barrier to creating a welcoming and inclusive community. BluBracket worked with the Inclusive Naming Initiative on this functionality.

“It’s up to all of us to secure our software supply chain, and we are grateful to Snyk and BluBracket for their significant contributions to the open-source community,” Zemlin said during the membership summit.

“We believe the Linux Foundation’s LFX Security project is the absolute best way for critical software projects to secure their code… We know that LFX Security will greatly enhance our software supply chain’s security, and we look forward to working with the community to keep code safe,” Prakash Linga, BluBracket’s founder and CEO, added.

LFX Security will be further scaled out in 2022, helping to solve challenges for hundreds of thousands of critical open source projects under the Open Source Security Foundation. LFX Security is free and available now.

Related Stories:

• Codenotary: Notarize and verify your software bill of materials
• Linux and open-source communities rise to Biden’s cybersecurity challenge
• Linux Foundation announces new open-source software signing service