{"id":1088,"date":"2025-05-11T23:49:28","date_gmt":"2025-05-12T04:49:28","guid":{"rendered":"https:\/\/stagefoursecurity.com\/blog\/?p=1088"},"modified":"2025-05-12T00:20:02","modified_gmt":"2025-05-12T05:20:02","slug":"securing-open-source-you-publish","status":"publish","type":"post","link":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/","title":{"rendered":"Securing Open Source You Publish"},"content":{"rendered":"<article>\n<header>\n<h1>\ud83d\udee0\ufe0f Securing the Code You Share: Best Practices for Open Source Publishers<\/h1>\n<p><em>By James K. Bishop, vCISO | Founder, <a href=\"https:\/\/stagefoursecurity.com\" target=\"_blank\" rel=\"noopener\">Stage Four Security<\/a><\/em><\/p>\n<\/header>\n<section>\n<h2>\ud83d\udd0d Why You Must Secure What You Publish<a href=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignright wp-image-1099\" src=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-300x200.png\" alt=\"\" width=\"400\" height=\"267\" srcset=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-300x200.png 300w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-1024x683.png 1024w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-768x512.png 768w, https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png 1536w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/a><\/h2>\n<p>When your organization publishes or maintains open source code, you take on real responsibility\u2014not just for quality, but for security. Compromised repos, hijacked maintainers, or malicious PRs can lead to supply chain attacks that affect thousands of downstream users. Being an open source publisher means becoming a security steward.<\/p>\n<p>This post outlines actionable steps to protect your Git repositories, package registries, contributor workflows, and the reputation that goes with them.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udd11 Lock Down Your Repositories<\/h2>\n<p>Whether you host on GitHub, GitLab, or another platform, follow these security-first practices:<\/p>\n<ul>\n<li><strong>Enable branch protection:<\/strong> Require PR reviews, signed commits, and status checks on <code>main<\/code> or <code>release<\/code> branches.<\/li>\n<li><strong>Enforce 2FA\/MFA:<\/strong> Require multi-factor authentication for all maintainers and admins.<\/li>\n<li><strong>Use least privilege:<\/strong> Don\u2019t give full admin rights to casual contributors\u2014use role-based access (e.g., triage, write, admin).<\/li>\n<li><strong>Monitor for force pushes, tag deletions, or branch creation<\/strong>\u2014signs of compromise or misuse.<\/li>\n<\/ul>\n<\/section>\n<section>\n<h2>\ud83d\udd10 Secure the Release Process<\/h2>\n<p>Attackers often target the release flow, not just the source code. Secure your artifact build and publication steps:<\/p>\n<ul>\n<li><strong>Sign releases:<\/strong> Use GPG or Sigstore to cryptographically sign release artifacts (tarballs, JARs, NPM packages).<\/li>\n<li><strong>Use isolated CI\/CD runners:<\/strong> Build and sign releases in ephemeral, hardened environments.<\/li>\n<li><strong>Verify packages before publish:<\/strong> Perform linting, dependency scanning, and static analysis before pushing to PyPI, NPM, etc.<\/li>\n<\/ul>\n<p>If you use GitHub Actions, ensure secrets are scoped only to specific workflows and rotated frequently.<\/p>\n<\/section>\n<section>\n<h2>\ud83e\uddea Validate External Contributions<\/h2>\n<p>Don\u2019t trust public pull requests at face value. Instead:<\/p>\n<ul>\n<li><strong>Use PR templates:<\/strong> Require contributors to explain changes and provide test coverage.<\/li>\n<li><strong>Run automated security scans:<\/strong> SAST, dependency scans, and policy checks before review.<\/li>\n<li><strong>Implement CODEOWNERS:<\/strong> Ensure experienced maintainers review sensitive modules or configurations.<\/li>\n<\/ul>\n<p>Adopt a \u201czero trust\u201d mindset toward inbound code\u2014even from known contributors. Mistakes and malicious intent both happen.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce6 Secure Package Registry Access<\/h2>\n<p>If you publish to public registries (e.g., PyPI, NPM, Maven Central):<\/p>\n<ul>\n<li><strong>Use scoped access tokens:<\/strong> Avoid global or user-bound tokens. Rotate credentials regularly.<\/li>\n<li><strong>Monitor package updates:<\/strong> Keep an eye on who is publishing, what versions are being pushed, and from where.<\/li>\n<li><strong>Set up two-person release approvals:<\/strong> Especially for critical libraries, never allow solo publishing without review.<\/li>\n<\/ul>\n<p>Registries are increasingly targeted\u2014hardening your access and audit practices is critical.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce3 Communicate Responsibly<\/h2>\n<p>Responsible maintainers make it easy for users to trust them\u2014and report problems. Every public repo should include:<\/p>\n<ul>\n<li><code>SECURITY.md<\/code> with coordinated disclosure instructions<\/li>\n<li>Signed release notes with changelogs and known risks<\/li>\n<li>Transparency about deprecated features or end-of-life schedules<\/li>\n<\/ul>\n<p>For mature projects, consider registering a <a href=\"https:\/\/securitytxt.org\/\" target=\"_blank\" rel=\"noopener\"><code>security.txt<\/code><\/a> file in your domain root to standardize contact and PGP key info.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udee0\ufe0f Tools That Help<\/h2>\n<ul>\n<li><strong>Sigstore:<\/strong> Keyless signing of artifacts and commits<\/li>\n<li><strong>OSV Scanner:<\/strong> Check for vulnerabilities using Google\u2019s OSV database<\/li>\n<li><strong>OSS Review Toolkit:<\/strong> Review licenses and vulnerabilities in project trees<\/li>\n<li><strong>GitHub CodeQL:<\/strong> Custom SAST scanning for OSS projects<\/li>\n<\/ul>\n<p>Most tools have GitHub Actions or CLI integrations to make secure development easy to embed into your publishing workflows.<\/p>\n<\/section>\n<section>\n<h2>\ud83d\udce3 Final Thought<\/h2>\n<p>If you\u2019re publishing code, you\u2019re publishing trust. As an open source maintainer, your repository may be one step away from someone\u2019s production system, medical device, or national infrastructure. Harden your repo, vet your releases, and treat publishing as a secure-by-default process.<\/p>\n<p><strong>Need help reviewing your OSS publishing practices, securing your build workflows, or designing a secure contribution model?<\/strong> <a href=\"https:\/\/stagefoursecurity.com\/blog\/partner-with-stage-four-security\/\" target=\"_blank\" rel=\"noopener\">Let\u2019s talk<\/a>.<\/p>\n<\/section>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udee0\ufe0f Securing the Code You Share: Best Practices for Open Source Publishers By James K. Bishop, vCISO | Founder, Stage [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[17],"tags":[],"class_list":["post-1088","post","type-post","status-publish","format-standard","hentry","category-open-source-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Securing Open Source You Publish - Stage Four Security Blog<\/title>\n<meta name=\"description\" content=\"Protect the code you publish by securing repositories, managing contributors, and preventing supply chain abuse in your open source projects.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing Open Source You Publish - Stage Four Security Blog\" \/>\n<meta property=\"og:description\" content=\"Protect the code you publish by securing repositories, managing contributors, and preventing supply chain abuse in your open source projects.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\" \/>\n<meta property=\"og:site_name\" content=\"Stage Four Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-12T04:49:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-12T05:20:02+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"stagefoursec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"stagefoursec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\"},\"author\":{\"name\":\"stagefoursec\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\"},\"headline\":\"Securing Open Source You Publish\",\"datePublished\":\"2025-05-12T04:49:28+00:00\",\"dateModified\":\"2025-05-12T05:20:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\"},\"wordCount\":580,\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-300x200.png\",\"articleSection\":[\"Open Source Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\",\"name\":\"Securing Open Source You Publish - Stage Four Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-300x200.png\",\"datePublished\":\"2025-05-12T04:49:28+00:00\",\"dateModified\":\"2025-05-12T05:20:02+00:00\",\"description\":\"Protect the code you publish by securing repositories, managing contributors, and preventing supply chain abuse in your open source projects.\",\"breadcrumb\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png\",\"width\":1536,\"height\":1024},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/stagefoursecurity.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing Open Source You Publish\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#website\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"name\":\"Stage Four Security Blog\",\"description\":\"Protecting today, fortifying tomorrow\",\"publisher\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#organization\",\"name\":\"Stage Four Security Blog\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"contentUrl\":\"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png\",\"width\":1000,\"height\":150,\"caption\":\"Stage Four Security Blog\"},\"image\":{\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde\",\"name\":\"stagefoursec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g\",\"caption\":\"stagefoursec\"},\"sameAs\":[\"https:\/\/stagefoursecurity.com\/blog\"],\"url\":\"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing Open Source You Publish - Stage Four Security Blog","description":"Protect the code you publish by securing repositories, managing contributors, and preventing supply chain abuse in your open source projects.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/","og_locale":"en_US","og_type":"article","og_title":"Securing Open Source You Publish - Stage Four Security Blog","og_description":"Protect the code you publish by securing repositories, managing contributors, and preventing supply chain abuse in your open source projects.","og_url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/","og_site_name":"Stage Four Security Blog","article_published_time":"2025-05-12T04:49:28+00:00","article_modified_time":"2025-05-12T05:20:02+00:00","og_image":[{"width":1536,"height":1024,"url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png","type":"image\/png"}],"author":"stagefoursec","twitter_card":"summary_large_image","twitter_image":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png","twitter_misc":{"Written by":"stagefoursec","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#article","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/"},"author":{"name":"stagefoursec","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde"},"headline":"Securing Open Source You Publish","datePublished":"2025-05-12T04:49:28+00:00","dateModified":"2025-05-12T05:20:02+00:00","mainEntityOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/"},"wordCount":580,"publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-300x200.png","articleSection":["Open Source Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/","url":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/","name":"Securing Open Source You Publish - Stage Four Security Blog","isPartOf":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage"},"thumbnailUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2-300x200.png","datePublished":"2025-05-12T04:49:28+00:00","dateModified":"2025-05-12T05:20:02+00:00","description":"Protect the code you publish by securing repositories, managing contributors, and preventing supply chain abuse in your open source projects.","breadcrumb":{"@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#primaryimage","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/05\/Open-Source-Post-2.png","width":1536,"height":1024},{"@type":"BreadcrumbList","@id":"https:\/\/stagefoursecurity.com\/blog\/2025\/05\/11\/securing-open-source-you-publish\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/stagefoursecurity.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Securing Open Source You Publish"}]},{"@type":"WebSite","@id":"https:\/\/stagefoursecurity.com\/blog\/#website","url":"https:\/\/stagefoursecurity.com\/blog\/","name":"Stage Four Security Blog","description":"Protecting today, fortifying tomorrow","publisher":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/stagefoursecurity.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/stagefoursecurity.com\/blog\/#organization","name":"Stage Four Security Blog","url":"https:\/\/stagefoursecurity.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","contentUrl":"https:\/\/stagefoursecurity.com\/blog\/wp-content\/uploads\/2025\/02\/cropped-Stage-Four-Security-Blog-Logo-1000x150-1.png","width":1000,"height":150,"caption":"Stage Four Security Blog"},"image":{"@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/9224811ebe1947fee603931e220ecfde","name":"stagefoursec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/stagefoursecurity.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fdb94f17254222fa9c8b7db050a58a5fa4fb24ae32e20e7e1974b87b01a751d4?s=96&d=mm&r=g","caption":"stagefoursec"},"sameAs":["https:\/\/stagefoursecurity.com\/blog"],"url":"https:\/\/stagefoursecurity.com\/blog\/author\/admin_w171pcka\/"}]}},"_links":{"self":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/comments?post=1088"}],"version-history":[{"count":3,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1088\/revisions"}],"predecessor-version":[{"id":1103,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/posts\/1088\/revisions\/1103"}],"wp:attachment":[{"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/media?parent=1088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/categories?post=1088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stagefoursecurity.com\/blog\/wp-json\/wp\/v2\/tags?post=1088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}