laurentsimon
laurentsimon
@norbjd you can tell your users your builds reach level 3. Provide an example how to verify the build with slsa-verifier in your README. You can also add a link...
There are 2 "types" of checkout: - project checkout: these are subject to the attacks with force pushing a tag with a different hash than reported in the Git±Hub event....
Let's keep this issue open to keep track of hardening enhancements to checkout: - dirty tree - tree verification
Good call. I forgot about https://github.com/slsa-framework/slsa-github-generator/issues/626. I added a comment in https://github.com/slsa-framework/slsa-github-generator/issues/626. Closing this issue then.
I like the idea too! We already have an internal APIs to fetch the languages of the repo using the language API from GitHub.
@david-a-wheeler assigning to you if you don't mind.
Thanks for reaching out. We need some external feedback and validation! > Libraries using dependency "ranges" is indeed not only a valid use case, but in most cases desirable in...
text has been updated in our docs. We no longer check for package managers' lock file. We're thinking of a more generic solution that relies on package manager's features to...
Is there anything I can do to help with this feature?
Would the change consist in updating https://github.com/sigstore/sigstore-python/blob/main/sigstore/sign.py#L192 by allowing `input_: dsse.Statement | bytes, dsse_type: str` (where `bytes` would be the payload and `dsse_type` is the type of the payload) +...