Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added two new criteria #35

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

added two new criteria #35

wants to merge 9 commits into from

Conversation

SecurityCRob
Copy link
Contributor

add osps-53 & osps-54 per convo with eknight

@SecurityCRob
Update baseline.yaml
af4f25c 
added new criteria "Releases are Signed" as OSPS-53

Signed-off-by: CRob <[email protected]>
@SecurityCRob
Update baseline.yaml
c87e9ac 
added new criteria for SAST scanning OSPS-54

Signed-off-by: CRob <[email protected]>
@SecurityCRob
Merge pull request #1 from SecurityCRob/SecurityCRob-patch-1
20268bf 
Update baseline.yaml
@SecurityCRob
Merge branch 'main' into SecurityCRob-patch-2
e6fb13b 
Signed-off-by: CRob <[email protected]>
@SecurityCRob
Merge pull request #2 from SecurityCRob/SecurityCRob-patch-2
2d442ee 
Update baseline.yaml
@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation enhancement New feature or request labels Oct 18, 2024
mlieberman85
mlieberman85 reviewed Oct 18, 2024
View reviewed changes
baseline.yaml
@@ -720,6 +720,55 @@ criteria:
in a separate repository and fetched during
a specific well-documented pipeline step.
control_mappings: # TODO
security_insights_value: # TODO
scorecard_probe: # TODO
- id: OSPS-53
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree with this one as worded fairly strongly.

I would reword it "cryptographically attested" -- We've seen multiple issues with just signing a piece of software.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mlieberman85 If the desire is for more than signing— should we split this into Lv2 signature, and Lv3 for more complete attestation?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's reasonable. I think we should also be clear what just blanket "signing" should be interpreted as. Since people sign a lot of stuff for a lot of reasons, which is why folks have been moving to attestations so it's clear what the intent of the signing is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the first level should be plain signing with published singer identities. It's way easier to implement plain signing and it gets us initial integrity guarantees.

mlieberman85
mlieberman85 reviewed Oct 18, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
mlieberman85
mlieberman85 reviewed Oct 18, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
TomHennen
TomHennen reviewed Oct 18, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
SecurityCRob and others added 2 commits October 18, 2024 15:33
@SecurityCRob @TomHennen
Update baseline.yaml
b81642c 
Co-authored-by: Tom Hennen <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @TomHennen
Update baseline.yaml
d2d586c 
Co-authored-by: Tom Hennen <[email protected]>
Signed-off-by: CRob <[email protected]>
eddie-knight
eddie-knight reviewed Nov 7, 2024
View reviewed changes
baseline.yaml Outdated Show resolved Hide resolved
SecurityCRob and others added 2 commits November 7, 2024 16:26
@SecurityCRob @eddie-knight
Update baseline.yaml
9ccdb08 
Co-authored-by: Eddie Knight <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob @puerco
Update baseline.yaml
c0d5f1f 
Co-authored-by: Puerco <[email protected]>
Signed-off-by: CRob <[email protected]>
funnelfiasco
funnelfiasco reviewed Nov 18, 2024
View reviewed changes
baseline.yaml
security_insights_value: # TODO
scorecard_probe:
- releasesAreSigned
- id: OSPS-54
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest splitting this out into a separate PR, since it seems less controversial than the other one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheFoxAtWork TheFoxAtWork TheFoxAtWork left review comments

@eddie-knight eddie-knight eddie-knight left review comments

@TomHennen TomHennen TomHennen left review comments

@puerco puerco puerco left review comments

@mlieberman85 mlieberman85 mlieberman85 left review comments

@funnelfiasco funnelfiasco funnelfiasco left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@SecurityCRob @funnelfiasco @mlieberman85 @puerco @TomHennen @eddie-knight @TheFoxAtWork