This repository is for the work of the CoSAI Workstream 1, Software Supply Chain Security for AI Systems. CoSAI is an OASIS Open Project and an open ecosystem of AI and security experts from industry leading organizations dedicated to sharing best practices for secure AI deployment and collaborating on AI security research and product development. For more information on CoSAI, please visit the CoSAI website and the Open Project repository which has information governance and the project charter.
Significant efforts are ongoing to extend SSDF and SLSA principles to the security of AI development. Classical software SSDF and SLSA solutions provide the foundation for secure software development yet the individual organizations continue to face challenges integrating provenance solutions into their infrastructure and development practices including determining how to address changes in provenance proofs, shifts in publisher trust, etc... As the efforts to expand provenance controls into the AI domain advance, this CoSAI workstream will focus on lowering the barriers to AI provenance adoption and risk management. Further information can be found here.
- Andre Elizondo, Wiz
- Jay White, Microsoft
- Matt Maloney, Cohere
Check out our onboarding guidance for new participants and please see the CoSAI Contributing policy for more details.
Adds names / GitHub profile links for those who have contributed to this repository. If you have a maintainer's list, link to it here.
For issues or features, please use Github issues. You can also join the workstream mailing list by posting an empty email to cosai-supply-chain-ws+subscribe@lists.oasis-open-projects.org. You can read the mailing list archive here.
You can also join us on Slack via this link and introduce yourself in the #ws1-supply-chain channel
CoSAI and the CoSAI workstream operates under the terms of the Open Project Rules, the CoSAI Governance and Workstream Governance, as well as the following the licenses:
- CC-BY 4.0 for documentation and data contributions; and
- Apache License v2.0 for source code and models
The applicable license will be determined for each repository, as applicable, at the time of its creation.
See RFC Template.