Verifying the Validity of Crowd-Sourced Results in Open Source Security - The Scorecard GitHub Action and Sigstore

Explore a conference talk that delves into the Scorecard GitHub Action, a tool designed to enhance the security of open-source software projects and help users assess the safety of their dependencies. Learn about the OSSF Scorecard, an automated tool that evaluates critical security heuristics and assigns scores to various checks. Discover how the Scorecard action automatically runs on repositories when code is merged to the main branch, with results stored in the Scorecard API as crowd-sourced data. Understand the importance of result trustworthiness and the challenges posed by the action running in a GitHub workflow controlled by project maintainers. Gain insights into the implementation of integrity protection for results using Sigstore (cosign, fulcio, and rekor) to build a remote attestation mechanism. Through diagrams and code examples, examine the workflow for validating rekor results and receive practical guidance on verifying the authenticity and integrity of crowd-sourced results in the open-source community.

Verifying the Validity of Crowd-Sourced Results in the Open... - Naveen Srinivasan & Spencer Schrock