Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Nominations Open] Best User Adopter Award 2022 🏆 #125

Closed
tracymiranda opened this issue Sep 6, 2022 · 3 comments
Closed

[Nominations Open] Best User Adopter Award 2022 🏆 #125

tracymiranda opened this issue Sep 6, 2022 · 3 comments

Comments

@tracymiranda
Copy link
Contributor

tracymiranda commented Sep 6, 2022

This issue is to receive nominations for the Best User Adopter Award 2022.

This award recognizes an individual, team or organization who have adopted Sigstore to secure and protect their software, and have shared their impactful Sigstore story so that others may also learn from their journey.

To nominate someone, reply to this issue with the following:

Full name of the person, team or organization you’re nominating
Short description of where they use Sigstore and why they should win.
Nomination Deadline: Tuesday, September 20, 2022

More details are available here: https://github.com/sigstore/community/tree/main/awards

@naveensrinivasan
Copy link

naveensrinivasan commented Sep 8, 2022

Nominating OSSF Scorecard team

http://github.com/ossf/scorecard

The OpenSSF Scorecard is an automated tool that assesses several important heuristics associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve to strengthen your project's security posture.

The OpenSSF Scorecard’s GitHub Action v2 action uses GitHub OIDC with Sigstore (with Fulcio as root CA and Rekor as a transparency log) to ensure the integrity of its results.

This is going to secure millions of repositories using rekor and fulcio.

https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges

@laurentsimon
Copy link

laurentsimon commented Sep 8, 2022

This is a great idea. Scorecard is using Sigstore to enable badges and built a remote attestation system based on Sigstore + OIDC + GitHub Actions. Some of the work was presented at Open-Source Security Summit in Austin last June

@asraa
Copy link
Contributor

asraa commented Sep 9, 2022

SLSA GitHub Generators

https://github.com/slsa-framework/slsa-github-generator
https://github.com/slsa-framework/slsa-verifier

The SLSA GitHub Generator project hosts a collection of trusted builders that can produce SLSA Level 3 compliant provenance. It achieves this by using the isolation guarantees from reusable workflows on GitHub Actions and crucially, Sigstore OIDC signing to bind GitHub workflow identities attested by Fulcio to achieve non-falsifiable provenance.

The verifier uses Sigstore-based verification flows, verifying certificate authenticity up to Fulcio's Root CA and verifying that the entry signed was present in the Rekor log.

These tools allow GitHub developers to build on GitHub Actions as per normal flows and generate signed L3 provenance using only free GitHub tooling and Sigstore's public-good-instance. Other solutions require GCP accounts to enable GCB build provenance, or Tekton Chains, which requires Tekton.

Our Golang builders are already GA available, and we have a generic provenance attestor being used in a variety of repos, including kpt, crane, jib, and even sigstore-java!

One crucial part of our user adoption story is our contribution back to the Sigstore ecosystem. With extensive end to end testing of our flow, we were able to detect regressions and issues in Sigstore services (sigstore/rekor#956, sigstore/cosign#2123, sigstore/cosign#2121, sigstore/cosign#2058). Our work also suggested and enabled many feature enhancements as requirements to Fulcio (sigstore/fulcio#232) and Rekor (sigstore/rekor#838, sigstore/rekor#761, sigstore/rekor#793).

Reference:

cc @ianlewis @laurentsimon @kpk47 @joshuagl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants