diff --git a/ci/spelling-config.json b/ci/spelling-config.json index eabc7a458..2d2989db1 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -60,6 +60,8 @@ "frontmatter", "Gamal", "gconv", + "gitsign", + "gittuf", "GUAC", "helm", "HIPAA", diff --git a/publications/supply-chain-security-tools/README.md b/publications/supply-chain-security-tools/README.md index 4f924a61d..1d80eade9 100644 --- a/publications/supply-chain-security-tools/README.md +++ b/publications/supply-chain-security-tools/README.md @@ -7,5 +7,5 @@ Find out what tools are used to secure the supply chain. Explore the general req 1. [Securing the Source Code](securing-source-code.md) 2. [Securing Materials](securing-materials.md) 3. [Securing Build Pipelines](securing-build-pipelines.md) -4. [Securing Artefacts](securing-aretfacts.md) +4. [Securing Artifacts](securing-artifacts.md) 5. [Securing Deployments](securing-deployments.md) diff --git a/publications/supply-chain-security-tools/securing-aretfacts.md b/publications/supply-chain-security-tools/securing-artifacts.md similarity index 83% rename from publications/supply-chain-security-tools/securing-aretfacts.md rename to publications/supply-chain-security-tools/securing-artifacts.md index 01ffc73e2..67d060be0 100644 --- a/publications/supply-chain-security-tools/securing-aretfacts.md +++ b/publications/supply-chain-security-tools/securing-artifacts.md @@ -1,4 +1,4 @@ -# Securing Artefacts +# Securing Artifacts {{% blocks/lead color="white" align="left" %}} Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-build-pipelines.md b/publications/supply-chain-security-tools/securing-build-pipelines.md index f9b8b26ed..6d55af569 100644 --- a/publications/supply-chain-security-tools/securing-build-pipelines.md +++ b/publications/supply-chain-security-tools/securing-build-pipelines.md @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-deployments.md b/publications/supply-chain-security-tools/securing-deployments.md index 872e635a7..13d85f9d5 100644 --- a/publications/supply-chain-security-tools/securing-deployments.md +++ b/publications/supply-chain-security-tools/securing-deployments.md @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-materials.md b/publications/supply-chain-security-tools/securing-materials.md index 56438b85d..6e6e1025d 100644 --- a/publications/supply-chain-security-tools/securing-materials.md +++ b/publications/supply-chain-security-tools/securing-materials.md @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md index bc907411e..ebe130d92 100644 --- a/publications/supply-chain-security-tools/securing-source-code.md +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -8,19 +8,19 @@ Here are the list of requirements for securing the source code, which is a subca Tool capability: sign commits, verify signed commits -#### Tools +### Tools + - Sigstore (gitsign) - gittuf - GUAC - ## 2. Enforce full attestation and verification for protected branches Tool capability: monitor protected branches -#### Tools -- gittuf +### Tools +- gittuf ## 3. Prevent committing secrets to the source code repository @@ -43,4 +43,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access -