Open krol3 opened 2 years ago
morwn
commented
2 years ago Hi @krol3, I really like your idea, we will work on adding SLSA level as part of each checks metadata soon.
Meantime, Do you have in mind any expected behavior that you wish to see when running chain-bench?
Thanks, Mor
krol3
commented
2 years ago Hi! @morwn, what about the output of this new SLSA report? how can I see in the output, if it's following the SLSA level "slsa_level": [1,2,3,4] ?
Currently the output is like this:
chain-bench version 0.1.3
2.3.1 Ensure all build steps are defined as code Passed
2.3.5 Ensure access to the build process's triggering is minimized Unknown Organization is not fetched
2.3.7 Ensure pipelines are automatically scanned for vulnerabilities Passed
2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files Failed Repository is not scanned for secrets
2.4.2 Ensure all external dependencies used in the build process are locked Failed 6 task(s) are not pinned
2.4.6 Ensure pipeline steps produce an SBOM Failed 2 pipeline(s) contain a build job without SBOM generation
3.1.7 Ensure dependencies are pinned to a specific, verified version Failed 6 dependencies are not pinned
3.2.2 Ensure packages are automatically scanned for known vulnerabilities Passed
3.2.3 Ensure packages are automatically scanned for license implications Passed
4.2.3 Ensure user's access to the package registry utilizes MFA Unknown Registry is not fetched
4.2.5 Ensure anonymous access to artifacts is revoked Unknown Registry is not fetched
4.3.4 Ensure webhooks of the package registry are secured Passed
-------- ----------------------------------------------------------------------------------------------- --------- -----------------------------------------------------------
Total Passed Rules: 9 out of 26
2022-08-21 16:49:18 INF Scan completed: 4sThe actual reporting UI will be implemented soon
the chain-bench could support SLSA requirements. https://slsa.dev/spec/v0.1/requirements