security-baseline icon indicating copy to clipboard operation
security-baseline copied to clipboard
verified publisher icon ossf

Design expression of Baseline conformance

Open funnelfiasco opened this issue 10 months ago • 4 comments

As discussed in today's SIG meeting, we discussed the need to have a manual Baseline attestation predicate:

  • While we’re waiting for tools to support automated scanning and reports we should probably have some mechanism.
  • You can’t hold an automated tool accountable; you can hold a human accountable.
  • Even with automated tooling, a human needs to sign off on the conformance to Baseline.
  • We need some sort of manual attestation format (e.g. an in-toto attestation with some evidence or points to some evidence)

@mlieberman85 and @evankanderson volunteered to draft this.

funnelfiasco avatar Apr 29 '25 15:04 funnelfiasco

Work in progress in https://docs.google.com/document/d/16zwe3eNwExvnaXLDUrkGNineZzB0r8arKE3G-cvNU0E/edit?tab=t.0#heading=h.ot23pst4vj3e

trumant avatar Apr 29 '25 17:04 trumant

I like the doc very much. Should we make this one of our agenda items for the next SIG call to talk through/debate and see if we can get consensus to move forward on a path (e.g. incorporate into our docs/methodology)?

SecurityCRob avatar May 09 '25 13:05 SecurityCRob

It's now on Tuesday's agenda!

funnelfiasco avatar May 09 '25 13:05 funnelfiasco

Some more related work on this topic can be found in https://github.com/trumant/assessment-attestation-example/pull/1

trumant avatar May 13 '25 14:05 trumant