laurentsimon

> Now, one major benefit if Build L3 is protection against insider threats. This brings me to this question about GitHub Actions OIDC tokens that the current generators rely on:...

> How about the provenances generated by npm CLI? As far as I understand, there is no requirement to call it from a reusable workflow. Can a project maintainer grab...

Additional tasks: - [x] https://github.com/slsa-framework/slsa-github-generator/issues/2178 - [x] https://github.com/slsa-framework/slsa-github-generator/issues/2177 - [ ] Remove permission - [ ] Documentation for each builder - [ ] Regression tests in slsa-verifier

An idea could be to search for dependency files, and when we find one, look for the corresponding lock files that should live in the same folder. Everything that lives...

@asraa FYI

Thanks @mlieberman85 . A few additional things for visibility: - [ ] BYOB framework https://github.com/slsa-framework/slsa-github-generator/milestone/11 - [ ] npm builder https://github.com/slsa-framework/slsa-github-generator/milestone/8. Will be hosted here. - [ ] Maven builder...

Thanks for the issue. Given the description of Scorecard in https://github.com/ossf/scorecard#what-is-scorecard, I'm curious if "fork" is a best practice with a remediation for maintainers, or if the goal if mostly...

I like the idea. @spencerschrock @azeemsgoogle @naveensrinivasan wdut?

there's now an API for it https://github.blog/changelog/2024-03-08-check-if-private-vulnerability-reporting-is-enabled-via-rest-api/ Who's interested in implementing this new probe? Could we add this probe to the security policy check maybe? Thanks @josepalafox for the info!

Scorecard already checks for workflow_run trigger + RCE https://github.com/ossf/scorecard/blob/main/checks/raw/dangerous_workflow.go#L62.