sigstore / community

General sigstore community repo
Apache License 2.0
38 stars 47 forks source link

[Nominations Open] Best User Adopter Award 2022 🏆 #125

Closed tracymiranda closed 1 year ago

tracymiranda commented 2 years ago

This issue is to receive nominations for the Best User Adopter Award 2022.

This award recognizes an individual, team or organization who have adopted Sigstore to secure and protect their software, and have shared their impactful Sigstore story so that others may also learn from their journey.

To nominate someone, reply to this issue with the following:

Full name of the person, team or organization you’re nominating Short description of where they use Sigstore and why they should win. Nomination Deadline: Tuesday, September 20, 2022

More details are available here: https://github.com/sigstore/community/tree/main/awards

naveensrinivasan commented 2 years ago

Nominating OSSF Scorecard team

http://github.com/ossf/scorecard

The OpenSSF Scorecard is an automated tool that assesses several important heuristics associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve to strengthen your project's security posture.

The OpenSSF Scorecard’s GitHub Action v2 action uses GitHub OIDC with Sigstore (with Fulcio as root CA and Rekor as a transparency log) to ensure the integrity of its results.

This is going to secure millions of repositories using rekor and fulcio.

https://openssf.org/blog/2022/09/08/show-off-your-security-score-announcing-scorecards-badges

laurentsimon commented 2 years ago

This is a great idea. Scorecard is using Sigstore to enable badges and built a remote attestation system based on Sigstore + OIDC + GitHub Actions. Some of the work was presented at Open-Source Security Summit in Austin last June

asraa commented 2 years ago

SLSA GitHub Generators

https://github.com/slsa-framework/slsa-github-generator https://github.com/slsa-framework/slsa-verifier

The SLSA GitHub Generator project hosts a collection of trusted builders that can produce SLSA Level 3 compliant provenance. It achieves this by using the isolation guarantees from reusable workflows on GitHub Actions and crucially, Sigstore OIDC signing to bind GitHub workflow identities attested by Fulcio to achieve non-falsifiable provenance.

The verifier uses Sigstore-based verification flows, verifying certificate authenticity up to Fulcio's Root CA and verifying that the entry signed was present in the Rekor log.

These tools allow GitHub developers to build on GitHub Actions as per normal flows and generate signed L3 provenance using only free GitHub tooling and Sigstore's public-good-instance. Other solutions require GCP accounts to enable GCB build provenance, or Tekton Chains, which requires Tekton.

Our Golang builders are already GA available, and we have a generic provenance attestor being used in a variety of repos, including kpt, crane, jib, and even sigstore-java!

One crucial part of our user adoption story is our contribution back to the Sigstore ecosystem. With extensive end to end testing of our flow, we were able to detect regressions and issues in Sigstore services (https://github.com/sigstore/rekor/pull/956, https://github.com/sigstore/cosign/issues/2123, https://github.com/sigstore/cosign/issues/2121, https://github.com/sigstore/cosign/pull/2058). Our work also suggested and enabled many feature enhancements as requirements to Fulcio (https://github.com/sigstore/fulcio/pull/232) and Rekor (https://github.com/sigstore/rekor/issues/838, https://github.com/sigstore/rekor/pull/761, https://github.com/sigstore/rekor/pull/793).

Reference:

cc @ianlewis @laurentsimon @kpk47 @joshuagl