mirror of
https://github.com/ossf/scorecard.git
synced 2024-09-21 05:57:42 +03:00
2c20be03cb
* convert Signed Releases to probes Signed-off-by: AdamKorcz <adam@adalogics.com> * Specify that probe is for Github and Gitlab only Signed-off-by: AdamKorcz <adam@adalogics.com> * use in loop instead of Signed-off-by: AdamKorcz <adam@adalogics.com> * fix linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * fix more linter issues Signed-off-by: AdamKorcz <adam@adalogics.com> * specify Github and Gitlab in provenance def.yml Signed-off-by: AdamKorcz <adam@adalogics.com> * Add link to slsa-github-generator Signed-off-by: AdamKorcz <adam@adalogics.com> * Add instructions on signing with Cosign Signed-off-by: AdamKorcz <adam@adalogics.com> * refactor evaluation Signed-off-by: Adam Korczynski <adam@adalogics.com> * debug failing integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove unused nolints Signed-off-by: Adam Korczynski <adam@adalogics.com> * expose release name asset names in finding values Signed-off-by: Adam Korczynski <adam@adalogics.com> * fix failed integration test Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove 'totalReleases' value from findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove left-over cases of "totalReleases" values in findings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove remaining totalReleases values Signed-off-by: Adam Korczynski <adam@adalogics.com> * use const probe names instead of hard-coded strings Signed-off-by: Adam Korczynski <adam@adalogics.com> * remove totalReleases from test helper arguments Signed-off-by: Adam Korczynski <adam@adalogics.com> * merge test helpers Signed-off-by: Adam Korczynski <adam@adalogics.com> --------- Signed-off-by: AdamKorcz <adam@adalogics.com> Signed-off-by: Adam Korczynski <adam@adalogics.com>
31 lines
1.6 KiB
YAML
31 lines
1.6 KiB
YAML
# Copyright 2023 OpenSSF Scorecard Authors
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
id: releasesAreSigned
|
|
short: Check that the projects Github and Gitlab releases are signed.
|
|
motivation: >
|
|
Signed releases allow consumers to verify their artifacts before consuming them.
|
|
implementation: >
|
|
The implementation checks whether a signature file is present in release assets. The probe checks the last 5 releases on Github and Gitlab.
|
|
outcome:
|
|
- For each of the last 5 releases, the probe returns OutcomePositive, if the release has a signature file in the release assets.
|
|
- For each of the last 5 releases, the probe returns OutcomeNegative, if the the release does not have a signature file in the release assets.
|
|
- If the project has no releases, the probe returns OutcomeNotApplicable.
|
|
remediation:
|
|
effort: Medium
|
|
text:
|
|
- Install Cosign by following https://docs.sigstore.dev/system_config/installation
|
|
- Sign your release artifacts using `cosign sign $YOUR_ARTIFACT`. See more at https://docs.sigstore.dev/signing/quickstart
|
|
- Publish your release and add the certificate and signature produced by Cosign.
|