Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are SLSA levels self-assessed ? #371

Closed
sbs2001 opened this issue Apr 16, 2022 · 6 comments
Closed

Are SLSA levels self-assessed ? #371

sbs2001 opened this issue Apr 16, 2022 · 6 comments
Labels
clarification Clarification of the spec, without changing meaning duplicate This issue or pull request already exists

Comments

@sbs2001
Copy link

sbs2001 commented Apr 16, 2022

SLSA noob here, so maybe it's a stupid question.

From reading the docs I didn't see a tool which could help with determining the SLSA level of some project. So I want to know whether folks just compare their project state with SLSA spec and determine their SLSA level.
@tmsteen
Copy link

tmsteen commented Apr 28, 2022

I am not sure there is a tool that would provide enough coverage to provide an automated assessment in a broad sense. That being said, the requirements are much more detailed that you see from frameworks like the NIST CSF of CIS Controls.

Another option is to have an external entity attest to the alignment against SLSA requirements is self-assessment is not rigorous enough.

@nris-jingu
Copy link

You may see the compliance matrix by DevOps tool vender. It seem to help self-assesment.

https://about.gitlab.com/solutions/supply-chain/

I think that it's difficult to assess automatically.

@krol3
Copy link

krol3 commented Jul 7, 2022

Hi @sbs2001! This tool could help you to check some good practices in your repo. Chain-bench tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.

@mlieberman85
Copy link
Member

Sorry, this issue appears to have fallen through the cracks there. So currently SLSA is self assessed, however there is nothing to stop a third party audit firm or tooling to do the assessment for you. It's up to the consumer though to validate those certification. e.g. if audit person X says that your automated assessment done via tool Y is suitable for SLSA 3 builder certification then the end user would validate those identities and the attestations being made.

@krol3 Chain-bench is great and definitely one of the tools we've been using to hit some of the CIS stuff for another OpenSSF tool Frsca which should be SLSA compliant and also an implementation of the CNCF's secure software factory ref arch. It would be cool though to also include SLSA requirements in the chain-bench benchmarking tool as well.

@krol3
Copy link

krol3 commented Jul 11, 2022

@mlieberman85 I opened an issue, please add your comments about this topic. aquasecurity/chain-bench#63

@MarkLodato MarkLodato added this to the SLSA spec v1.0 milestone Oct 17, 2022
@MarkLodato MarkLodato added clarification Clarification of the spec, without changing meaning and removed maybe-1.0 labels Oct 17, 2022
@MarkLodato MarkLodato mentioned this issue Oct 17, 2022
Merged
@MarkLodato MarkLodato removed this from the SLSA spec v1.0 milestone Oct 17, 2022
@MarkLodato MarkLodato added the duplicate This issue or pull request already exists label Oct 17, 2022
@MarkLodato
Copy link
Member

I would like to fix this for v1.0, but let's merge it with #130 and make sure that issue addresses the questions here.

@MarkLodato MarkLodato closed this as not planned Won't fix, can't repro, duplicate, stale Oct 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clarification Clarification of the spec, without changing meaning duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MarkLodato @mlieberman85 @tmsteen @krol3 @sbs2001 @nris-jingu