scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard

Published 20 hours ago verified publisher icon ossf

Reproduce build badge for scorecard

Open varunsh-coder opened this issue 3 years ago • 0 comments

As part of increasing confidence that the build artifact is reproducible (and has not been tampered during build), would you like to add a reproducible build badge to Scorecard?

I believe the build for Scorecard is either reproducible or should be easy to make it reproducible by updating the build flags.

For https://github.com/step-security/harden-runner, an issue was created to do this to increase trust in the artifact. As a result, we implemented a method to enable developers to easily reproduce the build and also reproduce it in a different environment (in GitHub Actions right now, but plan is to reproduce in GitLab CI in the future) and compare checksum with the released checksum.

This is what the UI looks like: https://app.stepsecurity.io/github/step-security/agent/releases/latest [Reproduced Builds section]

Please let me know if you want to setup something similar for Scorecard. If you want, I can also discuss this in a future community meeting.

varunsh-coder avatar Jul 13 '22 01:07 varunsh-coder