Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to SLSA compliance #63

Open
krol3 opened this issue Jul 11, 2022 · 3 comments · Fixed by #78
Open

Add support to SLSA compliance #63

krol3 opened this issue Jul 11, 2022 · 3 comments · Fixed by #78

Comments

@krol3
Copy link

krol3 commented Jul 11, 2022
edited

the chain-bench could support SLSA requirements. https://slsa.dev/spec/v0.1/requirements
@krol3 krol3 mentioned this issue Jul 11, 2022
Closed
@krol3 krol3 changed the title SLSA requirements Add support to SLSA compliance Jul 11, 2022
@morwn
Copy link
Collaborator

morwn commented Jul 18, 2022

Hi @krol3,
I really like your idea, we will work on adding SLSA level as part of each checks metadata soon.

Meantime, Do you have in mind any expected behavior that you wish to see when running chain-bench?

Thanks,
Mor

@resheetk resheetk mentioned this issue Jul 26, 2022
Merged
6 tasks
@morwn morwn closed this as completed in #78 Jul 31, 2022
@krol3
Copy link
Author

krol3 commented Aug 21, 2022

Hi! @morwn, what about the output of this new SLSA report?
how can I see in the output, if it's following the SLSA level "slsa_level": [1,2,3,4] ?

Currently the output is like this:

chain-bench version 0.1.3

 2.3.1    Ensure all build steps are defined as code                                                      Passed
 2.3.5    Ensure access to the build process's triggering is minimized                                    Unknown   Organization is not fetched
 2.3.7    Ensure pipelines are automatically scanned for vulnerabilities                                  Passed
 2.3.8    Ensure scanners are in place to identify and prevent sensitive data in pipeline files           Failed    Repository is not scanned for secrets
 2.4.2    Ensure all external dependencies used in the build process are locked                           Failed    6 task(s) are not pinned
 2.4.6    Ensure pipeline steps produce an SBOM                                                           Failed    2 pipeline(s) contain a build job without SBOM generation
 3.1.7    Ensure dependencies are pinned to a specific, verified version                                  Failed    6 dependencies are not pinned
 3.2.2    Ensure packages are automatically scanned for known vulnerabilities                             Passed
 3.2.3    Ensure packages are automatically scanned for license implications                              Passed
 4.2.3    Ensure user's access to the package registry utilizes MFA                                       Unknown   Registry is not fetched
 4.2.5    Ensure anonymous access to artifacts is revoked                                                 Unknown   Registry is not fetched
 4.3.4    Ensure webhooks of the package registry are secured                                             Passed
-------- ----------------------------------------------------------------------------------------------- --------- -----------------------------------------------------------
 Total Passed Rules: 9 out of 26
2022-08-21 16:49:18 INF Scan completed: 4s

@morwn
Copy link
Collaborator

morwn commented Aug 25, 2022

The actual reporting UI will be implemented soon

@morwn morwn reopened this Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add SLSA compliance aquasecurity/chain-bench
2 participants
@morwn @krol3