Skip to main content

Free self-study guide by OpenChain KWG

Open source trust,
built by you.

Build an ISO/IEC 5230 & 18974 open source management system step by step, with no vendor consulting — all the way to a self-certification declaration. No prior experience needed.

처음이세요? 5분 빠른 시작Start the guideGitHub
  • ISO/IEC 5230
  • ISO/IEC 18974
  • CC BY 4.0
  • 벤더중립

From zero to self-certification, step by step

Just follow the order. An agent at each step generates company-specific artifacts for you.

  1. 00

    Get started

    Grasp the big picture of supply chain security and the two standards.

  2. 01

    Set up

    Prepare the foundation for self-study and artifact generation.

  3. 02

    Organization

    Define governance owners with a responsibility (RACI) model.

  4. 03

    OSS policy

    Establish license approval tiers and policy documents.

  5. 04

    Process

    Design operating procedures: review, approval, disclosure.

  6. 05

    SBOM & vulnerabilities

    Generate and analyze SBOMs and manage vulnerabilities with tools.

  7. 06

    Training

    Build the capability to keep the system running over time.

  8. 07

    Self-certification

    Check conformance and complete a self-certification declaration.

One guide, three paths

A standards-based management system, a security pipeline, and AI coding compliance — follow the path that fits your role.

Build Your System

Build an enterprise open source management system from scratch to completion, based on ISO/IEC 5230 & 18974.

Learn more →

DevSecOps

Integrate security into your development pipeline. Covers SAST, SCA, container security, and CI/CD automation.

Learn more →

AI Coding

Manage AI coding tools like Claude Code, Cursor, and Copilot alongside open source compliance.

Learn more →

Real artifacts the agents produce

Preview the artifacts auto-generated for your company through these best-practice samples.

oss-policy.md
# 오픈소스 정책
## 3.1 라이선스 승인 등급
- 허용:   MIT · Apache-2.0
- 조건부: LGPL · MPL-2.0
- 금지:   AGPL · 상용 EULA
Policy & org — license approval tiers and the RACI responsibility matrix
sbom.cdx.json
{
  "bomFormat": "CycloneDX",
  "components": [
    { "name": "log4j-core",
      "version": "2.14.1",
      "vuln": "CVE-2021-44228" }
  ]
}
SBOM & vulnerabilities — CycloneDX analysis and triage reports
conformance.md
ISO/IEC 5230 적합성 선언문
조직: ____________________
[v] 3.1 정책 수립 · 공개
[v] 3.2 책임자 지정
[v] 3.3 역량 · 절차 확보
Self-certification — conformance checklist and declaration draft

Why TrustedOSS, together with KWG

Not competition, but completion. KWG points the way with standards and blank templates; TrustedOSS turns that into executable artifacts with AI and automation.

What & why

OpenChain KWG

Tells you what the standard requires and why. Provides the international standards, an enterprise OSS management guide, and blank templates.

  • ISO/IEC 5230 and 18974 standard guides
  • Blank policy and process templates
  • Tool guides and links
How, automatically

TrustedOSS

Helps you actually achieve the standard with AI and automation, on a single path from zero to self-certification.

  • AI agents auto-generate company-tailored artifacts
  • Copy-paste CI workflows and Rules, no-API-key demos
  • Extends to DevSecOps and AI coding governance

TrustedOSS synchronizes KWG content and attributes it under CC BY 4.0. View the OpenChain KWG guide

Start with step one, today

A free OpenChain KWG guide, all the way to self-certification. No install, no cost, no vendor lock-in.

Start the guideSee artifact samples