YoVDO

Verifying the Validity of Crowd-Sourced Results in Open Source Security - The Scorecard GitHub Action and Sigstore

Offered By: Linux Foundation via YouTube

Tags

Software Supply Chain Security Courses Sigstore Courses Remote Attestation Courses

Course Description

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore a conference talk that delves into the Scorecard GitHub Action, a tool designed to enhance the security of open-source software projects and help users assess the safety of their dependencies. Learn about the OSSF Scorecard, an automated tool that evaluates critical security heuristics and assigns scores to various checks. Discover how the Scorecard action automatically runs on repositories when code is merged to the main branch, with results stored in the Scorecard API as crowd-sourced data. Understand the importance of result trustworthiness and the challenges posed by the action running in a GitHub workflow controlled by project maintainers. Gain insights into the implementation of integrity protection for results using Sigstore (cosign, fulcio, and rekor) to build a remote attestation mechanism. Through diagrams and code examples, examine the workflow for validating rekor results and receive practical guidance on verifying the authenticity and integrity of crowd-sourced results in the open-source community.

Syllabus

Verifying the Validity of Crowd-Sourced Results in the Open... - Naveen Srinivasan & Spencer Schrock


Taught by

Linux Foundation

Tags

Related Courses

Securing Your Software Supply Chain with Sigstore
Linux Foundation via edX
Hands-on Introduction to Sigstore - Securing the Software Supply Chain
Rawkode Academy via YouTube
Protecting the World's Greatest Open Source Ecosystem with Sigstore
Devoxx via YouTube
PGP vs Sigstore - The Match at Maven Central
Devoxx via YouTube
Securing Your Infrastructure as Code Pipeline
Linux Foundation via YouTube