Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Linux Foundation

Verifying the Validity of Crowd-Sourced Results in Open Source Security - The Scorecard GitHub Action and Sigstore

Linux Foundation via YouTube

Overview

Explore a conference talk that delves into the Scorecard GitHub Action, a tool designed to enhance the security of open-source software projects and help users assess the safety of their dependencies. Learn about the OSSF Scorecard, an automated tool that evaluates critical security heuristics and assigns scores to various checks. Discover how the Scorecard action automatically runs on repositories when code is merged to the main branch, with results stored in the Scorecard API as crowd-sourced data. Understand the importance of result trustworthiness and the challenges posed by the action running in a GitHub workflow controlled by project maintainers. Gain insights into the implementation of integrity protection for results using Sigstore (cosign, fulcio, and rekor) to build a remote attestation mechanism. Through diagrams and code examples, examine the workflow for validating rekor results and receive practical guidance on verifying the authenticity and integrity of crowd-sourced results in the open-source community.

Syllabus

Verifying the Validity of Crowd-Sourced Results in the Open... - Naveen Srinivasan & Spencer Schrock

Taught by

Linux Foundation

Reviews

Start your review of Verifying the Validity of Crowd-Sourced Results in Open Source Security - The Scorecard GitHub Action and Sigstore

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.