laurentsimon
laurentsimon
The (intoto) resource descriptor in the SLA provenance has a URI field which is required unless content / hash is present https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md https://github.com/in-toto/attestation/blob/main/spec/v1/field_types.md#ResourceURI I'd like to propose an alternative based...
The resource_uri is currently a purl, but there is no guidance on how to construct it. It would be useful to provide better guidance for it. A few things to...
Is there a particular file extension recommended for VSAs?
There is clarification that may be useful w.r.t ResolvedDependencies. IIUC, the fields lists dependencies of the build, not the builder. ### Question 1 It's unclear whether the field is forgeable...
A few observations while reading the specs: 1. We don't have a definition of all the terms we're using. What's a build process? What's a build platform? We use terms...
It's possible for an attacker to ask a trusted builder (https://github.com/slsa-framework/slsa/issues/515) to build a source repo at a commit sha of their choice. This means that merely verifying the source...
Npm has support for SLSA provenance. We should improve the check to check for provenance for the corresponding package, if possible - rather than only looking at GitHub releases. I...
The probes (experimental) currently need to belong to a check to be run. What is users need probes that don't fit into a check? Do we create a new check?...
See https://github.com/ossf/scorecard/issues/1031#issuecomment-969117938 (Additional long-term improvements are in https://github.com/ossf/scorecard/issues/966#issuecomment-915598041) We would like to give more points to repos that run SAST before merging code, i.e. on pull_request event. FYI, cron-scheduled runs...
We want to give the ability of ignoring certain files to developers when applying the score policy. We can add this in the scorecard action.