OpenSSF -Scorecard

frsca logo

About The Project

Factory for Repeatable Secure Creation of Artifacts (aka FRSCA pronounced Fresca) aims to help secure the supply chain by securing build pipelines.

It achieves its goals by being 2 things:

  1. A suite of build, pipeline, signing, visibility, identity, and policy tools configured to operate securely.
  2. A set of build pipeline abstractions and definitions with security guardrails ensuring all builds follow supply chain security best practices.

At its core FRSCA uses these projects to achieve its goals:

  • Kubernetes - For control plane
  • Tekton Pipelines - For build pipelines
  • Tekton Chains - For pipeline task observation
  • Sigstore - For signing software, attestations, SBOMs and other metadata
  • SPIFFE/Spire - For build workload identities
  • Vault - For secrets management
  • Helm and CUE - For provisioning kubernetes resources
  • CUE - For secure pipeline abstractions and definitions

See: Architecture Docs for more info

FRSCA is also an implementation of the CNCF's Secure Software Factory Reference Architecture which is based on the CNCF's Software Supply Chain Best Practices White Paper. It is also intended to follow SLSA requirements closely and generate in-toto attesttations for SLSA provenance predicates.

NOTE: FRSCA is under very active development. A lot will change, it isn't production ready yet.


To quickly provision a Minikube cluster with FRSCA deployed and run an example pipeline run:

# Install and setup minikube (run only if need a local k8s)
make setup-minikube
make setup-frsca

This will perform the following actions:

  1. Install and setup minikube, and supporting cli tools, like cosign and jq if they are not already installed.
  2. Install development tooling to simulate a production environment, which includes:
    1. Cert-manager
    2. registry
    3. SPIFFE/Spire
    4. Vault
  3. Install and setup FRSCA's components which include:
    1. Tekton Pipelines
    2. Tekton Chains
    3. Kyverno
  4. Setup a mirror of example repositories and tekton triggers for each mirror.

Once FRSCA has been installed you can follow the various examples under /examples.

Tearing down the Minikube cluster generated in the quickstart, simply run:

make teardown

Going further

The full documentation is available at


It is a project under the OpenSSF Supply Chain Integrity Working Group.

Community meetings every other Wednesday at 10AM Eastern - See OpenSSF community calendar for more info.

Slack channel: #frsca on OpenSSF slack

Built With