ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-20 05:27:12 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
7df624229f
scorecard/attestor/README.md

70 lines
3.0 KiB
Markdown
Raw Normal View History

🌱 attestor: Dockerize + small improvements for Cloud Build usage (#2456) * Dockerize * Add cloudbuild.yaml * Improve logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add README.md Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * debian10 -> 11 * CLI * Remove logging statements * Dockerfile Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com>
2022-11-18 03:49:06 +03:00
# Scorecard Attestor
## What is scorecard-attestor?
scorecard-attestor is a tool that runs scorecard on a software source repo, and based on certain policies about those results, produces a Google Cloud binary authorization attestation.
scorecard-attestor helps users secure their software deployment systems by ensuring the code that they deploy passes certain criteria.
## Building and using scorecard-attestor
scorecard-attestor can be built as a standalone binary from source using `make build-attestor`, or with Docker, using `make build-attestor-docker`. scorecard-attestor is intended to be used as part of a Google Cloud Build pipeline, and inherits environment variables based on [build substitutions](https://cloud.google.com/build/docs/configuring-builds/substitute-variable-values).
Unless there's an internal error, scorecard-attestor will always return a successful status code, but will only produce a binary authorization attestation if the policy check passes.
## Configuring policies for scorecard-attestor
Policies for scorecard attestor can be passed through the CLI using the `--policy` flag. Examples of policies can be seen in [attestor/policy/testdata](/attestor/policy/testdata).
### Policy schema
Policies follow the following schema:
```yaml
---
type: "//rec"
optional:
preventBinaryArtifacts: "//bool"
allowedBinaryArtifacts:
type: "//arr"
contents: "//str" # Accepts glob-based filepaths as strings here
ensureNoVulnerabilities: "//bool"
ensureDependenciesPinned: "//bool"
allowedUnpinnedDependencies:
type: "//arr"
contents:
type: "//rec"
optional:
packagename: "//str"
filepath: "//str"
version: "//str"
ensureCodeReviewed: "//bool"
codeReviewRequirements:
type: "//rec"
optional:
requiredApprovers:
type: "//arr"
contents: "//str"
minReviewers: "//int"
```
### Missing parameters
Policies that are left blank will be ignored. Policies that allow users additional configuration options will be given default parameters as listed below.
* `PreventBinaryArtifacts`: If not specified, `AllowedBinaryArtifacts` will be empty, i.e. no binary artifacts will be allowed
* `PreventUnpinnedDependencies`: If not specified, `AllowedUnpinnedDependencies` will be empty, i.e. no unpinned dependencies will be allowed
* `RequireCodeReviewed`: If not specified, `CodeReviewRequirements` will require at least one reviewer on all changesets.
## Sample
Examples of how to use scorecard-attestor with binary authorization in your project can be found in these two repos:
* [scorecard-binauthz-test-good](https://github.com/ossf-tests/scorecard-binauthz-test-good)
* [scorecard-binauthz-test-bad](https://github.com/ossf-tests/scorecard-binauthz-test-bad)
Sample code comes with:
* `cloudbuild.yaml` to build the application and run scorecard-attestor
* Terraform files to set up the binary authorization environment, including KMS and IAM.
Reference in New Issue Copy Permalink