fix: add landing redirect, additional content

Author: kahboom

docs/compliance/SLSA.md

@@ -4,31 +4,87 @@ title: "SLSA ・ Supply-chain Levels for Software Artifacts"
 sidebar_label: "SLSA"
 ---
 
-# SLSA
+# SLSA: Your Blueprint for Securing the Software Supply Chain
 
-**Supply-chain Levels for Software Artifacts**, or **[SLSA](https://slsa.dev/)** _(pronounced "salsa")_, is a vendor-neutral security framework that provides guidance on building and delivering software securely. Supported by the [Open Source Software Security Foundation](https://openssf.org/), SLSA consists of a specification that developers can reference when identifying areas of potential improvement. It was [created by Google in 2021](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html) to help software developers fortify their supply chain security by incorporating the best industry practices end-to-end. It also enables consumers to better evaluate the software they adopt, before they adopt it.
+Ever wonder how to stop supply chain attacks like SolarWinds or Log4Shell in their tracks? Enter **Supply-chain Levels for Software Artifacts**, or **[SLSA](https://slsa.dev/)** _(pronounced "salsa")_. This framework is your recipe for hardening the software you build, deliver, and consume—step by step.
 
-SLSA is divided into four different **[levels](https://slsa.dev/spec/v1.0/levels)**, which are further broken up into their own tracks, each expanding on the previous. Each level within a track measures a particular aspect of supply chain security. The idea is that, as your security posture matures, you work your way up through the different levels, like a ladder.
+[Created by Google](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html) and supported by the [Open Source Software Security Foundation](https://openssf.org/), SLSA is the industry's answer to supply chain chaos. With four progressive levels, it helps you secure your software artifacts from tampering and build trust with end users.
 
-## SLSA Level 0: Build Basics
+is a vendor-neutral security framework that provides guidance on building and delivering software securely. Supported by the [Open Source Software Security Foundation](https://openssf.org/), SLSA consists of a specification that developers can reference when identifying areas of potential improvement. It was [created by Google in 2021](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html) to help software developers fortify their supply chain security by incorporating the best industry practices end-to-end. It also enables consumers to better evaluate the software they adopt, before they adopt it.
+
+## Why does SLSA matter?
+
+Software supply chains are more vulnerable than ever:
+- Dependencies sneak in unnoticed.
+- Build environments are ripe for tampering.
+- Provenance (the “who, what, where” of your code) is often nonexistent.
+
+SLSA fixes these issues by providing a ladder of security maturity. Whether you're a developer or an organization, each level of SLSA improves your security posture.
+
+## SLSA Levels & Tracks
+
+SLSA is divided into four different **[levels](https://slsa.dev/spec/v1.0/levels)**. Each level within a track measures a particular aspect of supply chain security (e.g. build, source, dependencies).
+
+Levels are further broken up into their own tracks, each expanding on the previous.  The idea is that, as your security posture matures, you work your way up through the different levels, like a ladder.
+
+- **Levels** define the overall maturity of your security practices.
+- **Tracks** identify specific areas of improvement (i.e. "source" ensures code integrity, while "build" ensures artifact integrity).
+
+
+### SLSA Level 0: The Starting Line
+
+This is the Wild West of software development, where most software starts. No automation, no reproducibility, no trust. It’s like baking a cake without writing down the recipe—you might get something tasty once, but good luck doing it again the same way.
+
+The build process might be manual, dependencies aren't tracked, and there's no way to verify the integrity of your artifacts.
+
+- Risk: Tampering is undetectable, and no one knows how your software was built.
+- Goal: Recognize this as the starting point and commit to improvement.
+
+### SLSA Level 1
 
 The main focus of Level 1 is on automation, as manual processes are error-prone. It requires the build process to be fully scripted, meaning no manual, ad hoc commands. This ensures the builds are at least reproducible.
 
+Requirements:
+- A defined build process (e.g. CI/CD pipelines).
+- Artifacts can be recreated reliably.
+
+Example: Running `make` commands directly on your local machine and manually uploading binaries to a server.
+
+Example tools might include Jenkins, GitHub Actions, or GitLab CI.
+
 :::tip[Did you know?]
 
-SLSA 1 is achievable for many teams with minimal effort—if you're using CI/CD pipelines, you might already be there!
+SLSA L1 is achievable for many teams with minimal effort—if you're using CI/CD pipelines, you might already be there!
 
 :::
 
-## SLSA Level 1: Provenance Proofs
+SLSA L1 is a means to an end, and should be seen as a stepping stone towards improving your overall approach to security. 
+
+
+### SLSA Level 2: Provenance Proofs
 
 Level 2 introduces the concept of [provenance](/what-is-software-provenance-and-why-is-it-important-for-security), a verifiable statement of what, how, and where something was built. Build systems must generate signed provenance documents.
 
-## SLSA Level 2: Tamper Resistance
+Builds must be performed in a secure environment that prevents tampering, which involves using isolated, authenticated systems (e.g. hardened CI/CD environments).
+
+### SLSA Level 3: Fully Fortified
 
-Builds must be performed in a secure environment that prevents tampering. This involves using isolated, authenticated systems (e.g. hardened CI/CD environments).
+This is the gold standard. At Level 3:
+- Builds are hermetic (completely isolated from the outside world).
+- Dependencies are verified and controlled.
+- Build environments are hardened to prevent tampering.
 
-## SLSA Level 3: Fully Fortified
+Additional practices include:
+- Two-person review for every change.
+- Strict control over source and dependencies. 
+- Requirements:
+  - All Level 2 controls.
+  - Builds must be tamper-proof and reproducible in a hermetic environment. 
+- Example Tools:
+  - Containerized builds (e.g., using Docker or Bazel).
+  - Cloud-native build systems like GCP Cloud Build or AWS CodeBuild.
 
 This level adds two-person review for all changes and hermetic builds, meaning builds are completely isolated from the outside world. Every dependency must be verified.
 
+
+

docs/software-supply-chain-security/sboms.mdx

@@ -1,6 +1,7 @@
 ---
 sidebar_position: 2
 slug: "/what-is-an-sbom-software-bill-of-materials-and-why-does-it-matter"
+sidebar_label: "SBOMs"
 ---
 import { Scrollycoding } from "/src/components/scrollycoding";
 
@@ -12,7 +13,7 @@ In recent years, the relevance of SBOMs has increased rapidly, with regulatory m
 
 A **Software Bill of Materials**, or **SBOM**, is an inventory file that lists all components within a piece of software, including any dependencies. Those components can include anything from open source libraries, APIs, licenses, and known vulnerabilities.
 
-## Why are SBOMs in vulnerability management?
+## Why are SBOMs important in vulnerability management?
 
 The applications we build and use everyday ship with many dependencies. Those dependencies are then likely have _their own_ dependencies, which, in turn, might consist of _their_ own dependencies, and so on. When you consider that any single one of those dependencies can be exploited, it's easy to see why it's important that we are able to track and monitor them.
 

docusaurus.config.ts

@@ -14,7 +14,7 @@ const chConfig = {
 
 const config: Config = {
 	title: "Trusted Foundations",
-	tagline: "Software supply chain security tutorials and tips",
+	tagline: "Notes and tutorials",
 	favicon: "img/trusted-foundations-icon.ico",
 
 	// production url
@@ -55,21 +55,13 @@ const config: Config = {
 					recmaPlugins: [[recmaCodeHike, chConfig]],
 					routeBasePath: "/", // serve the docs at the site's root
 					sidebarPath: "./sidebars.ts",
-					// Please change this to your repo.
-					// Remove this to remove the "edit this page" links.
-					// editUrl:
-					//   'https://github.com/facebook/docusaurus/tree/main/packages/create-docusaurus/templates/shared/',
 				},
 				// blog: {
 				//   showReadingTime: true,
 				//   feedOptions: {
 				//     type: ['rss', 'atom'],
 				//     xslt: true,
 				//   },
-				//   // Please change this to your repo.
-				//   // Remove this to remove the "edit this page" links.
-				//   editUrl:
-				//     'https://github.com/facebook/docusaurus/tree/main/packages/create-docusaurus/templates/shared/',
 				//   // Useful options to enforce blogging best practices
 				//   onInlineTags: 'warn',
 				//   onInlineAuthors: 'warn',
@@ -131,27 +123,25 @@ const config: Config = {
 			],
 			copyright: `Copyright © ${new Date().getFullYear()} Trusted Foundations`,
 		},
-		// Replace with your project's social card
-		// image: 'img/docusaurus-social-card.jpg',
+		// social card
 		image: "img/trusted-foundations-icon.svg",
-		metadata: [{ name: "keywords", content: "open source, security" }],
+		metadata: [
+			{ name: "keywords", content: "software supply chain, security" },
+		],
 		navbar: {
 			title: "Trusted Foundations",
 			logo: {
 				alt: "Logo",
-				// src: 'img/logo.svg',
 				src: "img/trusted-foundations-icon.svg",
 			},
-			items: [
-				{
-					type: "docSidebar",
-					sidebarId: "tutorialSidebar",
-					position: "right",
-					label: "Learning",
-				},
-				// {to: '/blog', label: 'Blog', position: 'left'},
-				// { href: "/resources", label: "Resources", position: "left" },
-			],
+			// items: [
+			// 	{
+			// 		type: "docSidebar",
+			// 		sidebarId: "tutorialSidebar",
+			// 		position: "right",
+			// 		label: "Learning",
+			// 	},
+			// ],
 		},
 		prism: {
 			theme: prismThemes.github,

src/components/HomepageFeatures/index.tsx

@@ -2,6 +2,7 @@ import type { ReactNode } from "react";
 import clsx from "clsx";
 import Heading from "@theme/Heading";
 import styles from "./styles.module.css";
+import { Redirect } from "@docusaurus/router";
 
 type FeatureItem = {
 	title: string;
@@ -10,46 +11,46 @@ type FeatureItem = {
 };
 
 const FeatureList: FeatureItem[] = [
-	// {
-	//   title: 'Easy to Use',
-	//   Svg: require('@site/static/img/undraw_docusaurus_mountain.svg').default,
-	//   description: (
-	//     <>
-	//       Docusaurus was designed from the ground up to be easily installed and
-	//       used to get your website up and running quickly.
-	//     </>
-	//   ),
-	// },
-	// {
-	//   title: 'Focus on What Matters',
-	//   Svg: require('@site/static/img/undraw_docusaurus_tree.svg').default,
-	//   description: (
-	//     <>
-	//       Docusaurus lets you focus on your docs, and we&apos;ll do the chores. Go
-	//       ahead and move your docs into the <code>docs</code> directory.
-	//     </>
-	//   ),
-	// },
-	// {
-	//   title: 'Powered by React',
-	//   Svg: require('@site/static/img/undraw_docusaurus_react.svg').default,
-	//   description: (
-	//     <>
-	//       Extend or customize your website layout by reusing React. Docusaurus can
-	//       be extended while reusing the same header and footer.
-	//     </>
-	//   ),
-	// },
+	{
+		title: "Security Fundamentals",
+		// Svg: require('@site/static/img/undraw_docusaurus_mountain.svg').default,
+		description: (
+			<>
+				Docusaurus was designed from the ground up to be easily installed and
+				used to get your website up and running quickly.
+			</>
+		),
+	},
+	{
+		title: "Best Practices",
+		// Svg: require('@site/static/img/undraw_docusaurus_tree.svg').default,
+		description: (
+			<>
+				Docusaurus lets you focus on your docs, and we&apos;ll do the chores. Go
+				ahead and move your docs into the <code>docs</code> directory.
+			</>
+		),
+	},
+	{
+		title: "Compliance",
+		// Svg: require('@site/static/img/undraw_docusaurus_react.svg').default,
+		description: (
+			<>
+				Extend or customize your website layout by reusing React. Docusaurus can
+				be extended while reusing the same header and footer.
+			</>
+		),
+	},
 ];
 
 function Feature({ title, Svg, description }: FeatureItem) {
 	return (
 		<div className={clsx("col col--4")}>
 			<div className="text--center">
-				<Svg
-					className={styles.featureSvg}
-					role="img"
-				/>
+				{/*<Svg*/}
+				{/*	className={styles.featureSvg}*/}
+				{/*	role="img"*/}
+				{/*/>*/}
 			</div>
 			<div className="text--center padding-horiz--md">
 				<Heading as="h3">{title}</Heading>