Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare the repo to meet SLSA security levels #25

Open
behnazh opened this issue Oct 22, 2021 · 4 comments
Open

Prepare the repo to meet SLSA security levels #25

behnazh opened this issue Oct 22, 2021 · 4 comments
Labels
enhancement New feature or request security Security related features or bugs

Comments

@behnazh
Copy link
Collaborator

behnazh commented Oct 22, 2021

SLSA is a promising work that aims at improving the security posture of open source software and protecting against supply chain attacks. I believe this template provides a good opportunity to adopt SLSA. Even though SLSA is still a work in progress, I don't think we should wait for them to finalize the specs, and the earlier we start the better.

The current layout of the repo looks like this, which misses a build step (the quality assurance steps don't modify code, but build does)
image

To make this template and the repos created from it meet the highest SLSA levels, we need to prepare the repo to meet their requirements. To begin with, I propose to make the repo ready for level 1. This level helps publishing an artifact provenance in a common format, in-toto. For that we need a more explicit build and packaging steps, which developers can develop further based on their needs. This would satisfy the Scripted Build requirement.

Once the repo meets level 1, we can use in-toto to generate the provenance and verify it.

@behnazh behnazh added enhancement New feature or request security Security related features or bugs labels Oct 22, 2021
@jenstroeger
Copy link
Owner

Great, I’m all for moving forward with this 🤓

@behnazh
Copy link
Collaborator Author

behnazh commented Oct 22, 2021

This is another GitHub Actions to consider for generating the provenance to meet level 1.

@jenstroeger
Copy link
Owner

PR #248 modifies the CodeQL workflow somewhat, and it references two more related issues.

Also, I wanted to track one more problems we should address as we rebuild the workflows for improved SLSA compliance: both, Release Notification workflow and the (soon to come) Wiki Documentation workflow are triggered by the release event — and so they run simultaneously. However, the Release Notification workflow should run only if the Wiki Documentation was successful.

@jenstroeger
Copy link
Owner

@behnazh Can we close this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request security Security related features or bugs
Projects
None yet
Development

No branches or pull requests

2 participants