-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Nominations Open] Best User Adopter Award 2022 🏆 #125
Comments
Nominating OSSF Scorecard teamhttp://github.com/ossf/scorecard The OpenSSF Scorecard is an automated tool that assesses several important heuristics associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve to strengthen your project's security posture. The OpenSSF Scorecard’s GitHub Action v2 action uses GitHub OIDC with Sigstore (with Fulcio as root CA and Rekor as a transparency log) to ensure the integrity of its results. This is going to secure millions of repositories using rekor and fulcio.
https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges |
This is a great idea. Scorecard is using Sigstore to enable badges and built a remote attestation system based on Sigstore + OIDC + GitHub Actions. Some of the work was presented at Open-Source Security Summit in Austin last June |
SLSA GitHub Generators https://github.com/slsa-framework/slsa-github-generator The SLSA GitHub Generator project hosts a collection of trusted builders that can produce SLSA Level 3 compliant provenance. It achieves this by using the isolation guarantees from reusable workflows on GitHub Actions and crucially, Sigstore OIDC signing to bind GitHub workflow identities attested by Fulcio to achieve non-falsifiable provenance. The verifier uses Sigstore-based verification flows, verifying certificate authenticity up to Fulcio's Root CA and verifying that the entry signed was present in the Rekor log. These tools allow GitHub developers to build on GitHub Actions as per normal flows and generate signed L3 provenance using only free GitHub tooling and Sigstore's public-good-instance. Other solutions require GCP accounts to enable GCB build provenance, or Tekton Chains, which requires Tekton. Our Golang builders are already GA available, and we have a generic provenance attestor being used in a variety of repos, including kpt, crane, jib, and even sigstore-java! One crucial part of our user adoption story is our contribution back to the Sigstore ecosystem. With extensive end to end testing of our flow, we were able to detect regressions and issues in Sigstore services (sigstore/rekor#956, sigstore/cosign#2123, sigstore/cosign#2121, sigstore/cosign#2058). Our work also suggested and enabled many feature enhancements as requirements to Fulcio (sigstore/fulcio#232) and Rekor (sigstore/rekor#838, sigstore/rekor#761, sigstore/rekor#793). Reference: |
This issue is to receive nominations for the Best User Adopter Award 2022.
This award recognizes an individual, team or organization who have adopted Sigstore to secure and protect their software, and have shared their impactful Sigstore story so that others may also learn from their journey.
To nominate someone, reply to this issue with the following:
Full name of the person, team or organization you’re nominating
Short description of where they use Sigstore and why they should win.
Nomination Deadline: Tuesday, September 20, 2022
More details are available here: https://github.com/sigstore/community/tree/main/awards
The text was updated successfully, but these errors were encountered: