search

aquasecurity / chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Apache License 2.0
718 stars 62 forks source link

Code signing #64

Open krol3 opened 2 years ago

krol3 commented 2 years ago

Does chain-bench recognize code signing tools like sigstore (cosign, fulcio, rekor)?

morwn commented 2 years ago

Hi @krol3, Thank you for your feedback Chain-bench can easily implement a pipeline instructor for signing 2.4.1:

image

we already implement a parser for the pipeline steps and have shared functionality to validate against a few actions as you can see here

We welcome and loved to get this contribution, Let me know if you wish to push it

Mor

krol3 commented 1 year ago

@morwn yeah! I would like to push it! added this validation