Document how SLSA levels are met by example pipelines #231
Labels
enhancement
New feature or request
Comments
|
I'd also be very interested in seeing this kind of documentation. I was reading this Google blog post that implies that self-hosted GitHub action runners can't achieve the build isolation required for SLSA 3+. My thought was that using SPIFFE/SPIRE for node & workload verification would possibly be sufficient(?). But that's just one example where mapping SLSA in some of the examples would be helpful. |
|
This was also just discussed at the SLSA meeting today on June 9th, 2022. It would be useful to make sure to folks that it's clear how Frsca meets the various SLSA requirements and having also examples. @cdwbrad SPIFFE/Spire should meet the requirements and the work I believe is mostly done to integrate Spire into Tekton Chains which would allow Frsca to achieve that higher level requirement. |
|
@mlieberman85 That's good to hear. Where are the SLSA meetings (incl. schedule & notes) tracked? |
zachyonash
pushed a commit
to zachyonash/ssf
that referenced
this issue
Feb 6, 2023
This change adds documentation explaining how FRSCA is achieving various levels of SLSA compliance. Ref buildsec#231
Merged
zachyonash
pushed a commit
to zachyonash/ssf
that referenced
this issue
Feb 7, 2023
This change adds documentation explaining how FRSCA is achieving various levels of SLSA compliance. Ref buildsec#231 Signed-off-by: ZYonash <[email protected]>
zachyonash
pushed a commit
to zachyonash/ssf
that referenced
this issue
Feb 8, 2023
This change adds documentation explaining how FRSCA is achieving various levels of SLSA compliance. Ref buildsec#231 Signed-off-by: ZYonash <[email protected]>
kodiakhq bot
added a commit
that referenced
this issue
Feb 13, 2023
* Bump github/codeql-action from 2.1.38 to 2.1.39 (#392) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.38 to 2.1.39. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@515828d...a34ca99) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Signed-off-by: ZYonash <[email protected]> * Update git-clone sha256 (#394) The git-clone task was updated in place. This PR updates the sha256 used by vendorme. Signed-off-by: Brad Beck <[email protected]> Signed-off-by: Brad Beck <[email protected]> Signed-off-by: ZYonash <[email protected]> * SLSA documentation This change adds documentation explaining how FRSCA is achieving various levels of SLSA compliance. Ref #231 Signed-off-by: ZYonash <[email protected]> * Workaround for git dubious ownership error (#398) * Workaround for git dubious ownership error Workaround for the following error in the docs workflow: ``` fatal: detected dubious ownership in repository at '/github/workspace' To add an exception for this directory, call: git config --global --add safe.directory /github/workspace ``` Signed-off-by: Brad Beck <[email protected]> * Try new version of shalzz/zola-deploy-action Signed-off-by: Brad Beck <[email protected]> --------- Signed-off-by: Brad Beck <[email protected]> Signed-off-by: ZYonash <[email protected]> * Bump github/codeql-action from 2.1.39 to 2.2.1 (#395) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.39 to 2.2.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@a34ca99...3ebbd71) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Signed-off-by: ZYonash <[email protected]> * This commit fixes some of the wording and styling of the docs, and should fix the build error. Signed-off-by: ZYonash <[email protected]> * Fixed some linting issues. Signed-off-by: ZYonash <[email protected]> * Revert "Fixed some linting issues." This reverts commit d286ca1. Signed-off-by: ZYonash <[email protected]> * Removed unwanted changes to this PR. Fixed linting issues. Signed-off-by: ZYonash <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: ZYonash <[email protected]> Signed-off-by: Brad Beck <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Brad Beck <[email protected]> Co-authored-by: ZYonash <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
With multiple example pipelines that exist today in FRSCA, there is no mapping on how they are meeting the various SLSA levels.
Expected Behavior
Document how the pipelines with the various tools and controls are meeting the SLSA levels. Which conditions are being met within each level and which are still missing.
The text was updated successfully, but these errors were encountered: