Open Source Tech Improvement Fund (OSTIF) is proud to announce that our work with Chainguard on the supply chain review of git for Windows is complete.

We’d like to thank Adolfo and John Speed at Chainguard for their work on this review, and Turbo at Github for their help connecting people for this portion of the project. We’d also like to thank Google and OpenSSF for their financial support that made this work possible.

This supply chain review is part of a greater effort to make notable improvements to the security posture of git. The other work packages include a manual review of gits source code which is already complete, and improvements to gits security testing by assisting with building a suite of custom rules for CodeQL (being carried out by the CodeQL team at GitHub).

The full report is available here:
https://ostif.org/wp-content/uploads/2023/03/git-slsa-audit-full-v2.pdf

There’s a lot more information about Chainguard’s work and their findings here:
https://www.chainguard.dev/unchained/chainguard-conducts-slsa-audit-of-git