The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.

• Sarah Christoff, Defense Unicorns, @sscristoff-du
• Austin Abro, Defense Unicorns, @AustinAbro321
• Lucas Rodriguez, Defense Unicorns, @lucasrod16
• Danny Gershman, Radius Method, @dgershman

Most projects will report to an existing OpenSSF Working Group, although in some cases a project may report directly to the TAC. The project commits to providing quarterly updates on progress to the group they report to.

• WG Supply Chain Integrity

The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be initial code needed for OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.

• Zarf eliminates the complexity of air gap software delivery for Kubernetes clusters and cloud-native workloads using a declarative packaging strategy to support DevSecOps in offline and semi-connected environments.

When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF).

LF License Intake Scan Report:

LICENSE INTAKE SCAN & ANALYSIS: OpenSSF: Zarf DISTRIBUTION: Amanda Martin, #341

This intake scan is a static analysis of the source code in your repository. A dependency scan was not performed. Once a project is added to LFX [https://security.lfx.linuxfoundation.org], you can use SNYK to view a dependency scan for both licenses and vulnerabilities. CODE SCANNED: [pulled 19–JUNE-2024] https://github.com/defenseunicorns/zarf

PROJECT LICENSE: Apache-2.0

Top level project license file found in repo SPDX LICENSE IDENTIFIERS: SPDX license identifiers were found in source file headers.

PERMISSIVE LICENSES: Apache-2.0

COPYLEFT LICENSES: None found

SOURCE AVAILABLE LICENSES: None found

PROPRIETARY LICENSES: None found

LICENSE CONFLICTS: None found

BINARY / PACKAGE FILES: None found

THIRD PARTY CODE / DEPENDENCIES: None found

THIRD PARTY NOTICE FILE: None found

SUMMARY FINDINGS: All of the scanned code is under the project license, Apache-2.0. SPDX license identifiers were found in source file headers. No license conflicts found. No dependencies or third party code detected in repo.

The project should provide a list of existing resources with links to the repository, and if available, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.