-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are SLSA levels self-assessed ? #371
Comments
I am not sure there is a tool that would provide enough coverage to provide an automated assessment in a broad sense. That being said, the requirements are much more detailed that you see from frameworks like the NIST CSF of CIS Controls. Another option is to have an external entity attest to the alignment against SLSA requirements is self-assessment is not rigorous enough. |
You may see the compliance matrix by DevOps tool vender. It seem to help self-assesment. https://about.gitlab.com/solutions/supply-chain/ I think that it's difficult to assess automatically. |
Hi @sbs2001! This tool could help you to check some good practices in your repo. Chain-bench tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark. |
Sorry, this issue appears to have fallen through the cracks there. So currently SLSA is self assessed, however there is nothing to stop a third party audit firm or tooling to do the assessment for you. It's up to the consumer though to validate those certification. e.g. if audit person X says that your automated assessment done via tool Y is suitable for SLSA 3 builder certification then the end user would validate those identities and the attestations being made. @krol3 Chain-bench is great and definitely one of the tools we've been using to hit some of the CIS stuff for another OpenSSF tool Frsca which should be SLSA compliant and also an implementation of the CNCF's secure software factory ref arch. It would be cool though to also include SLSA requirements in the chain-bench benchmarking tool as well. |
@mlieberman85 I opened an issue, please add your comments about this topic. aquasecurity/chain-bench#63 |
I would like to fix this for v1.0, but let's merge it with #130 and make sure that issue addresses the questions here. |
SLSA noob here, so maybe it's a stupid question.
From reading the docs I didn't see a tool which could help with determining the SLSA level of some project. So I want to know whether folks just compare their project state with SLSA spec and determine their SLSA level.
The text was updated successfully, but these errors were encountered: