DevTrace contributor trust signals provide informational context relevant to 8 of 20 NIST SP 800-218 (SSDF) practices across 3 of 4 practice groups.
| Practice | Name | DevTrace Evidence |
|---|---|---|
| PS.1 | Protect code from unauthorized access | Author association, org membership, trusted org status |
| PS.2 | Verify software release integrity | Cryptographic commit signing verification |
| PS.3 | Archive and provide software provenance | Profile completeness: bio, company, location, website, email |
| PW.4 | Reuse well-secured software | Fork ratio, distinct repos, PR acceptance across projects |
| PW.6 | Review human-readable code | Code review participation in the last 30 days |
| PW.7 | Test executable code | Contribution consistency score as disciplined-practice proxy |
| RV.1 | Identify vulnerabilities | Velocity anomaly, burst-vanish, synthetic risk flag detection |
| PO.4 | Security awareness | Account maturity, community engagement, follower presence |
| SSDF Task | DevTrace Signal | Why It Maps |
|---|---|---|
| PS.2.1 | commits_verified | Direct evidence: contributor either signs commits or doesn't |
| PS.3.1 | Identity category (5 signals) | Provenance starts with "who wrote this?" — DevTrace answers that |
| PS.1.1 | author_association + org_member | Measures whether the contributor has appropriate access level |
| PW.6.1 | reviews_given_30d | Contributors who review code participate in the security review process |
| RV.1.1 | Synthetic contributor flags | Detects fabricated contributor patterns (social engineering vectors) |
The EU CRA (2024/2847, enforcement begins 2027) requires manufacturers of products with digital elements to maintain software bills of materials, track vulnerabilities, and ensure supply chain transparency. DevTrace contributor trust signals provide additional context relevant to CRA due-diligence obligations around contributor provenance and software integrity.
Disclaimer: DevTrace provides contributor-level signals that may be relevant to organizational SSDF and EU CRA due-diligence processes. These signals are informational and do not constitute a compliance determination. Full SSDF compliance requires organizational processes, tooling, and controls beyond contributor trust scoring. Consult qualified compliance professionals for formal assessments.
Pro plan includes contributor-level SSDF practice mapping on every scorecard.