slsa-verifier

slsa-verifier copied to clipboard

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | gcr.io/distroless/base | final | digest | `53745e9` -> `e5260be` | --- ### Configuration...

renovate-bot

chore: fix vuln: override autolinker ^4.0.0

1

fixes https://github.com/slsa-framework/slsa-verifier/security/code-scanning/11 markdown-toc's latest v1.2.0 is still vulnerable via a transitive dependency, but hasn't received updates in a long time. This PR overrides one of the other transitive dependencies to...

ramonpetgrave64

[feature][npm] Verify consistency between cert and provenance

8

This is currently not possible but will land once the Fulcio claims have been standardized

laurentsimon

**Describe the bug** Improve repository's OpenSSF Scorecard score (currently at 6.5) **To Reproduce** `docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/slsa-verifier --format=json > scorecard_slsa-framework_slsa-verifier.json` **Expected behavior** - Branch Protections could be...

melba-lopez

Similar to how the GCB provenances are fully parsed with a struct, we should do the same for Github Actions Provenances - https://github.com/slsa-framework/slsa-verifier/blob/9b5430ffbf9646e9a3b2bc0188c74e7c42137644/verifiers/internal/gcb/provenance.go#L25-L26 Part of the reason we don't already...

ramonpetgrave64

Addresses #161, and followup to #768 This PR replaces all `fmt` print statements with `log/slog` logs at appropriate levels. for successes ``` 2024/05/17 17:43:33 INFO Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.6.0...

ramonpetgrave64

feat: expose SigstoreTUFClient mocks

1

Following #768 For folks using slsa-verifier as a library, it could be useful to export the mocks we already have for the TUF client `newMockSigstoreTUFClient`, and it's implementation for `GetTarget`....

ramonpetgrave64

Support for OCI

1

The generic provenance will let users add provenance to their container images. We need an option `--oci-path` (or something to this effect) to support it. We can start simple by...

laurentsimon

test: Replace e2e tests with staging sigstore instance

1

To prevent rate limiting on public good.

asraa

slsa-verifier SHA seems to be different

4

Looking at this https://github.com/slsa-framework/slsa-github-generator/blob/773c7d7a4381a2db9de497319c3b293c6f148421/.github/actions/generate-builder/action.yml#L54 which points to slsa-verifier `v1.1.1` as the SHA `f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21` I tried to confirm the SHA and I am doing this on my darwin 1. Checkout at...

naveensrinivasan