scorecard/attestor/README.md

# Scorecard Attestor

## What is scorecard-attestor?

scorecard-attestor is a tool that runs scorecard on a software source repo, and based on certain policies about those results, produces a Google Cloud binary authorization attestation.

scorecard-attestor helps users secure their software deployment systems by ensuring the code that they deploy passes certain criteria.

## Building and using scorecard-attestor

scorecard-attestor can be built as a standalone binary from source using `make build-attestor`, or with Docker, using `make build-attestor-docker`. scorecard-attestor is intended to be used as part of a Google Cloud Build pipeline, and inherits environment variables based on [build substitutions](https://cloud.google.com/build/docs/configuring-builds/substitute-variable-values).

Unless there's an internal error, scorecard-attestor will always return a successful status code, but will only produce a binary authorization attestation if the policy check passes.

## Configuring policies for scorecard-attestor

Policies for scorecard attestor can be passed through the CLI using the `--policy` flag. Examples of policies can be seen in [attestor/policy/testdata](/attestor/policy/testdata).

### Policies

* `PreventBinaryArtifacts`: Ensure that a repository is free from binary artifacts, which can link against the final repo artifact but isn't reviewable.
  * `AllowedBinaryArtifacts`: A list of binary artifacts, by repo path, to ignore. If not specified, no binary artifacts will be allowed
* `PreventKnownVulnerabilities`: Ensure that the project is free from security vulnerabilities/advisories, as registered in osv.dev.
* `PreventUnpinnedDependencies`: Ensure that a project's dependencies are pinned by hash. Dependency pinning makes builds more predictable, and prevents the consumption of malicious package versions from a compromised upstream.
  * `AllowedUnpinnedDependencies`: Ignore some dependencies, either by the filepath of the dependency management file (`filepath`, e.g. requirements.txt or package.json) or the dependency name (`packagename`, the specific package being ignored). If multiple filepaths/names, or a combination of filepaths and names are specified, all of them will be used. If not specified, no unpinned dependencies will be allowed.
* `RequireCodeReviewed`: Require that If `CodeReviewRequirements` is not specified, at least one reviewer will be required on all changesets. Scorecard-attestor inherits scorecard's default commit window (i.e. will only look at the last 30 commits to determine if they are reviewed or not).
  * `CodeReviewRequirements.MinReviewers`: The minimum number of distinct approvals required.
  * `CodeReviewRequirements.RequiredApprovers`: A set of approvers, any of whom must be found to have approved all changes. If a change is found without any approvals from this list, the check fails.

### Policy schema

Policies follow the following schema:

```yaml
---
type: "//rec"
optional:
    preventBinaryArtifacts: "//bool"
    allowedBinaryArtifacts:
        type: "//arr"
        contents: "//str" # Accepts glob-based filepaths as strings here
    ensureNoVulnerabilities: "//bool"
    ensureDependenciesPinned: "//bool"
    allowedUnpinnedDependencies:
        type: "//arr"
        contents:
            type: "//rec"
            optional:
                packagename: "//str"
                filepath: "//str"
                version: "//str"
    ensureCodeReviewed: "//bool"
    codeReviewRequirements:
        type: "//rec"
        optional:
            requiredApprovers:
                type: "//arr"
                contents: "//str"
            minReviewers: "//int"
```

## Sample

Examples of how to use scorecard-attestor with binary authorization in your project can be found in these two repos:

* [scorecard-binauthz-test-good](https://github.com/ossf-tests/scorecard-binauthz-test-good)
* [scorecard-binauthz-test-bad](https://github.com/ossf-tests/scorecard-binauthz-test-bad)

Sample code comes with:

* `cloudbuild.yaml` to build the application and run scorecard-attestor
* Terraform files to set up the binary authorization environment, including KMS and IAM.
🌱 attestor: Dockerize + small improvements for Cloud Build usage (#2456) * Dockerize * Add cloudbuild.yaml * Improve logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add README.md Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * debian10 -> 11 * CLI * Remove logging statements * Dockerfile Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> 2022-11-18 03:49:06 +03:00			`# Scorecard Attestor`

			`## What is scorecard-attestor?`

			`scorecard-attestor is a tool that runs scorecard on a software source repo, and based on certain policies about those results, produces a Google Cloud binary authorization attestation.`

			`scorecard-attestor helps users secure their software deployment systems by ensuring the code that they deploy passes certain criteria.`

			`## Building and using scorecard-attestor`

			scorecard-attestor can be built as a standalone binary from source using `make build-attestor`, or with Docker, using `make build-attestor-docker`. scorecard-attestor is intended to be used as part of a Google Cloud Build pipeline, and inherits environment variables based on [build substitutions](https://cloud.google.com/build/docs/configuring-builds/substitute-variable-values).

			`Unless there's an internal error, scorecard-attestor will always return a successful status code, but will only produce a binary authorization attestation if the policy check passes.`

			`## Configuring policies for scorecard-attestor`

			Policies for scorecard attestor can be passed through the CLI using the `--policy` flag. Examples of policies can be seen in [attestor/policy/testdata](/attestor/policy/testdata).

🌱 attestor: module -> subpackage (#2464) * Enable cilint checking on attestor and fix cilint errors Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Make attestor a subpackage of scorecard * Move e2e test * Use scorecard logger Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> 2022-11-30 21:22:00 +03:00			`### Policies`

			* `PreventBinaryArtifacts`: Ensure that a repository is free from binary artifacts, which can link against the final repo artifact but isn't reviewable.
			* `AllowedBinaryArtifacts`: A list of binary artifacts, by repo path, to ignore. If not specified, no binary artifacts will be allowed
			* `PreventKnownVulnerabilities`: Ensure that the project is free from security vulnerabilities/advisories, as registered in osv.dev.
			* `PreventUnpinnedDependencies`: Ensure that a project's dependencies are pinned by hash. Dependency pinning makes builds more predictable, and prevents the consumption of malicious package versions from a compromised upstream.
			* `AllowedUnpinnedDependencies`: Ignore some dependencies, either by the filepath of the dependency management file (`filepath`, e.g. requirements.txt or package.json) or the dependency name (`packagename`, the specific package being ignored). If multiple filepaths/names, or a combination of filepaths and names are specified, all of them will be used. If not specified, no unpinned dependencies will be allowed.
:book: fix "default" typo (#3543) Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> 2023-10-10 04:13:12 +03:00			* `RequireCodeReviewed`: Require that If `CodeReviewRequirements` is not specified, at least one reviewer will be required on all changesets. Scorecard-attestor inherits scorecard's default commit window (i.e. will only look at the last 30 commits to determine if they are reviewed or not).
🌱 attestor: module -> subpackage (#2464) * Enable cilint checking on attestor and fix cilint errors Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Make attestor a subpackage of scorecard * Move e2e test * Use scorecard logger Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> 2022-11-30 21:22:00 +03:00			* `CodeReviewRequirements.MinReviewers`: The minimum number of distinct approvals required.
🌱 attestor: e2e tests (#2529) * Add E2E tests Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Change RequiredApprovers so that it checks for any reviewers on the list instead of all Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> Co-authored-by: Azeem Shaikh <azeemshaikh38@gmail.com> 2022-12-12 23:27:14 +03:00			* `CodeReviewRequirements.RequiredApprovers`: A set of approvers, any of whom must be found to have approved all changes. If a change is found without any approvals from this list, the check fails.
🌱 attestor: module -> subpackage (#2464) * Enable cilint checking on attestor and fix cilint errors Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Make attestor a subpackage of scorecard * Move e2e test * Use scorecard logger Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> 2022-11-30 21:22:00 +03:00
🌱 attestor: Dockerize + small improvements for Cloud Build usage (#2456) * Dockerize * Add cloudbuild.yaml * Improve logging Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Add README.md Signed-off-by: Raghav Kaul <raghavkaul@google.com> * Address PR comments * debian10 -> 11 * CLI * Remove logging statements * Dockerfile Signed-off-by: Raghav Kaul <raghavkaul@google.com> Signed-off-by: Raghav Kaul <raghavkaul@google.com> 2022-11-18 03:49:06 +03:00			`### Policy schema`

			`Policies follow the following schema:`

			```yaml
			`---`
			`type: "//rec"`
			`optional:`
			`preventBinaryArtifacts: "//bool"`
			`allowedBinaryArtifacts:`
			`type: "//arr"`
			`contents: "//str" # Accepts glob-based filepaths as strings here`
			`ensureNoVulnerabilities: "//bool"`
			`ensureDependenciesPinned: "//bool"`
			`allowedUnpinnedDependencies:`
			`type: "//arr"`
			`contents:`
			`type: "//rec"`
			`optional:`
			`packagename: "//str"`
			`filepath: "//str"`
			`version: "//str"`
			`ensureCodeReviewed: "//bool"`
			`codeReviewRequirements:`
			`type: "//rec"`
			`optional:`
			`requiredApprovers:`
			`type: "//arr"`
			`contents: "//str"`
			`minReviewers: "//int"`
			```

			`## Sample`

			`Examples of how to use scorecard-attestor with binary authorization in your project can be found in these two repos:`

			`* [scorecard-binauthz-test-good](https://github.com/ossf-tests/scorecard-binauthz-test-good)`
			`* [scorecard-binauthz-test-bad](https://github.com/ossf-tests/scorecard-binauthz-test-bad)`

			`Sample code comes with:`

			* `cloudbuild.yaml` to build the application and run scorecard-attestor
			`* Terraform files to set up the binary authorization environment, including KMS and IAM.`