initiatives#286
Conversation
✅ Deploy Preview for scribe-security ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
|
||
| Note that in this case `valint` filtered out `SSDF-IMAGE` rules because it wasn't provided with the right target. | ||
|
|
||
| ### Whole initiative verification |
There was a problem hiding this comment.
Maybe we should include a paragraph to explain how to require a initiative evidence be signed and the resulted table showcasing the signed evidence verification.
There was a problem hiding this comment.
I explain it in the Reading the Results section and also in the configuratino field description, do you think it's not enough?
Comment has been resolved by Viktor Kartashovdn left a comment: "Released binaries must be built by Azure DevOps from a specific git repository and have unsigned SLSA provenance." please remove. the thumb rule is 3 examples, and this one is complicated and not realistic. Browser metadata |
…gen_docs initiatives gen docs
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a large set of new documentation pages that detail various security policy rules and initiatives for Scribe. Key changes include:
- New rule documentation for multiple platforms (Bitbucket, GitHub, GitLab, Jenkins, etc.) with usage examples, mitigation strategies, and evidence requirements.
- Updates to Scribe API-based rules and initiatives, including a blueprint for secure pipelines.
- An updated initiatives index that organizes these new documents.
Reviewed Changes
Copilot reviewed 229 out of 236 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/configuration/initiatives/rules/bitbucket/project/allow-admins.md | New rule doc for allowed Bitbucket project admins |
| docs/configuration/initiatives/rules/bitbucket/repository/allow-admins.md | New rule doc for allowed Bitbucket repository admins |
| docs/configuration/initiatives/rules/bitbucket/repository/allow-users.md | New rule doc for allowed Bitbucket repository users |
| docs/configuration/initiatives/rules/bitbucket/project/allow-users.md | New rule doc for allowed Bitbucket project users |
| docs/configuration/initiatives/rules/api/scribe-api-cve-product.md | New rule doc for Scribe API CVE product verification |
| docs/configuration/initiatives/rules/bitbucket/project/long-live-tokens.md | New rule doc for Bitbucket project token expiration controls |
| docs/configuration/initiatives/rules/api/scribe-api-cve.md | New rule doc for Scribe API CVE vulnerability verification |
| docs/configuration/initiatives/rules/bitbucket/project/exposed-credentials.md | New rule doc for preventing exposed credentials in Bitbucket projects |
| docs/configuration/initiatives/rules/bitbucket/repository/branch-protection.md | New rule doc for branch protection in Bitbucket repositories |
| docs/configuration/initiatives/index.md | Updated initiatives index for organizing documentation |
| docs/configuration/initiatives/rules/api/scribe-api-published.md | New rule doc for Scribe Published Policy |
| docs/configuration/initiatives/bp1.md | New blueprint for secure pipelines initiative documentation |
| docs/configuration/initiatives/rules/api/scribe-api.md | New rule doc for applying the Scribe API template policy |
Files not reviewed (7)
- docs/configuration/category.json: Language not supported
- docs/configuration/initiatives/category.json: Language not supported
- docs/configuration/initiatives/rules/category.json: Language not supported
- docs/configuration/initiatives/rules/api/category.json: Language not supported
- docs/configuration/initiatives/rules/bitbucket/category.json: Language not supported
- docs/configuration/initiatives/rules/bitbucket/project/category.json: Language not supported
- docs/configuration/initiatives/rules/bitbucket/repository/category.json: Language not supported
| Ensure that all critical or high severity vulnerabilities are addressed before delivering the product. | ||
|
|
There was a problem hiding this comment.
The mitigation text does not match the rule's purpose, which is to verify that the image Scribe Publish flag is set. Please update the mitigation to align with the rule description.
| Ensure that all critical or high severity vulnerabilities are addressed before delivering the product. | |
| Ensure that the Scribe Publish flag is set for all container images before delivering the product. |
…ience cosign update
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…t.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
(attempt to fix broken build) This reverts commit 51c646e.
This pull request introduces a new documentation section for configuration and initiatives, including a comprehensive guide for securing software pipelines. The key changes are the addition of new category files and detailed documentation for a secure pipeline blueprint.
New documentation sections:
docs/configuration/_category_.json: Added a new category labeled "Configuration" with a position value.docs/configuration/initiatives/_category_.json: Added a new category labeled "Reference: Policies and Configuration Guide" with a position value.Blueprint for Secure Pipelines:
docs/configuration/initiatives/bp1.md: Added a detailed document outlining best practices and technical guidelines for securing software pipelines. This includes control descriptions, mitigations, rules, and evidence defaults.