OpenSSF Community Day India 2025

There are a lot of new advancements coming up in the AI landscape like Vibe coding, MCP, Agents2Agents. Not just that, people are using AI coding assistant tools in their day-to-day life. There is more hype around AI, but wait we tend to forget one thing, and that is security.

There are a lot of problems in consuming all those AI coding assistant tools and LLMs. How do you know the code generated by your favourite coding assistant is not vulnerable? How do you verify it? Your code might use deprecated libraries or vulnerable ones too, right? LLMs have their own knowledge cut-off date, right? Then how do you make sure you are writing secure and clean code?

Don’t worry that’s where Codegate comes in, one of the popular open-source projects which solves these problems. Codegate acts as a proxy between your LLMs and coding assistants, analyzes the code generated by LLMs, fixes it, and recommends best practices to write secure code. All things happen locally nothing goes outside of your machine.

Most people are not aware of this popular open-source project. In my talk, I will show how Codegate helps you to consume the code generated by your favourite coding tools.

As an open-source company publishing packages and contributing widely, we navigate the complex balance of open code and private signing credentials for macOS, Linux, and Windows. This combination became a serious vulnerability when insecure defaults in our CI/CD pipeline created an undetected attack vector with potentially devastating consequences.

In this talk, we unpack how a 2-year-old token - exposed via a misconfigured Action, with no expiration or alerting — enabled bad actors to potentially manipulate public images and forced revocation of our code signing credentials.

We’ll walk through:

1. Our detailed forensic investigation: diffing registry images, scanning across npm, PyPI, and Docker Hub, and tracing the exposed token.

2. What went wrong: lack of artifact scanning, weak secret hygiene, and implicit trust in CI defaults.

3. Practical security improvements you can make — automated scanners, secret permissions, security reviews, and much more.

By sharing our experience, we aim to help the community identify and mitigate this highly exploitable attack vector that can remain undetected for years to prevent supply chain attacks before they happen.

Open source ecosystems frequently face supply chain attacks via malicious packages hidden in trusted registries. vet is an open-source security tool designed specifically to detect potentially malicious packages through behavioral and heuristic analysis.

This session covers:

Supply chain attacks: Brief overview and recent cases of malware found in popular ecosystems such as npm and PyPI.

Vet introduction: How vet identifies suspicious packages beyond traditional CVE-based scanning (Malware Analysis Docs).https://docs.safedep.io/cloud/malware-analysis

Technical walkthrough: Practical use of vet in CI/CD pipelines and developer workflows (CLI and GitHub Actions examples).

Actionable outcomes: Understanding and responding to vet results effectively.

The security of a Linux distribution depends on the integrity of its entire software supply chain, from source code to compiled binaries. With rising threats like dependency poisoning, malicious injections, and package manager compromises, securing the supply chain is no longer optional.

This talk will present a practical framework for strengthening Linux supply chain security.

We'll cover:
1. Verifying source authenticity with cryptographic signing and reproducible builds.
2. Automating SBOM generation to track dependencies and prevent supply chain attacks.
3. Enforcing integrity using open-source tools like Sigstore (Cosign, Rekor), in-toto, and OpenSCAP.
4. Analyzing real-world attack scenarios and how to mitigate them effectively.

By the end, attendees will gain actionable strategies to prevent tampering, detect anomalies early, and ensure trusted software delivery across open-source Linux distributions.

The triage process in the CVE Binary Tool enables users to customize vulnerability reports by adding contextual information such as mitigations or justifications for ignoring certain issues. This feature is especially useful for filtering out false positives or highlighting cases where a vulnerability is deemed non-exploitable based on a specific risk assessment.

While the CVE Binary Tool has offered basic triage support for some time, this GSoC project significantly extended its capabilities by integrating support for all four major VEX formats: CSAF, CycloneDX, OpenVEX, and SPDX. This was made possible through the integration of the lib4vex library, which provides robust parsing and generation of VEX documents across these different standards.

This talk will walk through the development journey, detailing the challenges faced while implementing VEX support and the key decisions that shaped the final solution.

Kubernetes drove the transition from VMs to Containers, but Linux distro tooling (package manager & package archives) remained focussed on a full blown OS. Distros didn't adapt to serve the needs of a containerised SDLC.

Containers are meant to run single-processes in isolation, but package management is built for VMs, leading to bloated containers that increase attack surface for applications and lead to patching overhead for developers.

Minimal containers are becoming the standard for modern application development.

This talk explores an approach for creating a Debian-inspired distro with a container-first design.

Debian container bloat stems from:
1. Essential packages needed for VMs but not containers - like bash, libc6
2. APT package manager footprint - installs 59 packages
3. Maintainer script dependencies in Debian packages - scripts can require runtimes like perl, python etc

Proposing a new approach:
1. Portable APT replacement implemented in Go
2. Reimplementing maintainer scripts with minimal dependencies
3. Bootstrapping a distro so that only required packages can be installed, no "essentials"

# Abstract:-
==========
This tech talk will cover the comprehensive overview of Secure boot support under UEFI based GRUB bootloader on X86 based platforms. Explains the dependencies and available kernel options with code snippets to enable UEFI based Secure boot support. Also, touch upon the steps for Secure boot enablement on VMs.


# Agenda brief:-
==============
+ What is secure boot ? Benefit with pros-cons, requirements in boot sequence.
+ Why is Secure boot required in today's world?
+ What's the Significance of Shim in Secure boot?
+ What is UEFI and different bootloaders like GRUB and others?
+ What is UEFI's role in GRUB for secure boot?
+ What are the dependencies and available options in Linux kernel with respect to UEFI and GRUB for Secure boot enablement?
+ Signing the UEFI binaries and Custom kernel modules with keys.
+ Step by step guide on required signing tools with Certificates.
+ How to enable Secure boot for a Virtual Machine?
+ Verification of secure boot on Linux based platforms.