Verifying the Validity of Crowd-Sourced Results in Open Source Security - The Scorecard GitHub Action and Sigstore
Offered By: Linux Foundation via YouTube
Course Description
Overview
Explore a conference talk that delves into the Scorecard GitHub Action, a tool designed to enhance the security of open-source software projects and help users assess the safety of their dependencies. Learn about the OSSF Scorecard, an automated tool that evaluates critical security heuristics and assigns scores to various checks. Discover how the Scorecard action automatically runs on repositories when code is merged to the main branch, with results stored in the Scorecard API as crowd-sourced data. Understand the importance of result trustworthiness and the challenges posed by the action running in a GitHub workflow controlled by project maintainers. Gain insights into the implementation of integrity protection for results using Sigstore (cosign, fulcio, and rekor) to build a remote attestation mechanism. Through diagrams and code examples, examine the workflow for validating rekor results and receive practical guidance on verifying the authenticity and integrity of crowd-sourced results in the open-source community.
Syllabus
Verifying the Validity of Crowd-Sourced Results in the Open... - Naveen Srinivasan & Spencer Schrock
Taught by
Linux Foundation
Tags
Related Courses
Securing Your Software Supply Chain with SigstoreLinux Foundation via edX Hands-on Introduction to Sigstore - Securing the Software Supply Chain
Rawkode Academy via YouTube Protecting the World's Greatest Open Source Ecosystem with Sigstore
Devoxx via YouTube PGP vs Sigstore - The Match at Maven Central
Devoxx via YouTube Securing Your Infrastructure as Code Pipeline
Linux Foundation via YouTube