Comments (3)
naveensrinivasan
commented on July 3, 2024
30
Nominating OSSF Scorecard team
http://github.com/ossf/scorecard
The OpenSSF Scorecard is an automated tool that assesses several important heuristics associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve to strengthen your project's security posture.
The OpenSSF Scorecardβs GitHub Action v2 action uses GitHub OIDC with Sigstore (with Fulcio as root CA and Rekor as a transparency log) to ensure the integrity of its results.
This is going to secure millions of repositories using rekor and fulcio.
- https://github.com/ossf/scorecard-action
- https://github.com/ossf/scorecard-webapp/tree/main/app/server
https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges
from community.
asraa
commented on July 3, 2024
12
SLSA GitHub Generators
https://github.com/slsa-framework/slsa-github-generator
https://github.com/slsa-framework/slsa-verifier
The SLSA GitHub Generator project hosts a collection of trusted builders that can produce SLSA Level 3 compliant provenance. It achieves this by using the isolation guarantees from reusable workflows on GitHub Actions and crucially, Sigstore OIDC signing to bind GitHub workflow identities attested by Fulcio to achieve non-falsifiable provenance.
The verifier uses Sigstore-based verification flows, verifying certificate authenticity up to Fulcio's Root CA and verifying that the entry signed was present in the Rekor log.
These tools allow GitHub developers to build on GitHub Actions as per normal flows and generate signed L3 provenance using only free GitHub tooling and Sigstore's public-good-instance. Other solutions require GCP accounts to enable GCB build provenance, or Tekton Chains, which requires Tekton.
Our Golang builders are already GA available, and we have a generic provenance attestor being used in a variety of repos, including kpt, crane, jib, and even sigstore-java!
One crucial part of our user adoption story is our contribution back to the Sigstore ecosystem. With extensive end to end testing of our flow, we were able to detect regressions and issues in Sigstore services (sigstore/rekor#956, sigstore/cosign#2123, sigstore/cosign#2121, sigstore/cosign#2058). Our work also suggested and enabled many feature enhancements as requirements to Fulcio (sigstore/fulcio#232) and Rekor (sigstore/rekor#838, sigstore/rekor#761, sigstore/rekor#793).
Reference:
- https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/
- https://slsa.dev/blog/2022/06/slsa-github-workflows
cc @ianlewis @laurentsimon @kpk47 @joshuagl
from community.
laurentsimon
commented on July 3, 2024
6
This is a great idea. Scorecard is using Sigstore to enable badges and built a remote attestation system based on Sigstore + OIDC + GitHub Actions. Some of the work was presented at Open-Source Security Summit in Austin last June
from community.
Related Issues (20)
- Project transfer approval: rekor-search-ui HOT 5
- update calendar invite for the weekly call link HOT 2
- add pulumi automation for newly-created sigstore-conformance org HOT 1
- add automation to submit PRs to update upon cosign releases HOT 1
- Community Chair Election HOT 4
- Create documentation for Pulumi administration HOT 4
- GitHub sync failed for Pulumi HOT 2
- Adding collaborators to sigstore/docs
- New project root-signing-staging HOT 2
- REQUEST: New membership for jku
- pulumi run partially failed for new repository (root-signing-staging) HOT 2
- root-signing-staging maintainer permissions not working HOT 6
- setting GH actions variables in a project? HOT 1
- Microsoft in this space trying to standardize with IETF?
- Pulumi up fails on main HOT 5
- Correctly use custom org role in root-signing-staging
- add coverage for gitlab.com/sigstore
- team membership should be public HOT 2
- sync-changes failing at HEAD HOT 3
- root-signing-staging branch protection changed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from community.