diff --git a/.github/workflows/gen-pdf.yml b/.github/workflows/gen-pdf.yml index 88e128c1b..8b7c6bf06 100644 --- a/.github/workflows/gen-pdf.yml +++ b/.github/workflows/gen-pdf.yml @@ -18,8 +18,13 @@ jobs: - name: build pdf run: npx docusaurus-prince-pdf -u https://scribe-security.netlify.app/docs/introducing-scribe/what-is-scribe --output scribe-guide.pdf + - name: create markdown file + run: | + pip install markitdown + markitdown scribe-guide.pdf > scribe-guide.md + - name: upload artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4.6.0 with: - name: scribe-guide-pdf - path: scribe-guide.pdf + name: scribe-guide + path: scribe-guide.* diff --git a/docs/integrating-scribe/ci-integrations/azure.md b/docs/integrating-scribe/ci-integrations/azure.md index d92d186c7..ad2f5e14a 100644 --- a/docs/integrating-scribe/ci-integrations/azure.md +++ b/docs/integrating-scribe/ci-integrations/azure.md @@ -9,13 +9,11 @@ Use the following instructions to integrate your Azure pipelines with Scribe. ### Installation **[Valint-task](https://marketplace.visualstudio.com/items?itemName=ScribeSecurity.valint-cli)** Can be found in Azure marketplace.
Follow **[install-an-extension](https://learn.microsoft.com/en-us/azure/devops/marketplace/install-extension?view=azure-devops&tabs=browser#install-an-extension)** to add the extension to your organization.
-Once you have the extension installed you can use the task in your pipeline. +Once you have the extension installed, you can use the task in your pipeline. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). - -2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. @@ -35,7 +33,7 @@ Add the Scribe Hub API token as SCRIBE_TOKEN to your Azure environment by follow #### Basic example Generate an SBOM of an image built in the pipeline by adding a step to call Valint at the end of the build. -In your Azure DevOps project make sure you have a file named `azure-pipelines.yml` and add the following steps to it after the build step: +In your Azure DevOps project, make sure you have a file named `azure-pipelines.yml` and add the following steps to it after the build step: ```yaml - job: scribe_azure_job @@ -166,7 +164,7 @@ jobs:
- Generate SLSA provenance for for an image built with local docker + Generate SLSA provenance for an image built with local docker ```YAML - task: ValintCli@2 @@ -183,7 +181,7 @@ jobs:
Generate an SBOM for an image in a private registry -> Add a `docker login` task before the adding the following task: +> Add a `docker login` task before adding the following task: ```YAML - task: ValintCli@2 @@ -200,7 +198,7 @@ jobs:
Generate SLSA provenance for an image in a private registry -> Before the following task add a `docker login` task +> Before the following task, add a `docker login` task ```YAML - task: ValintCli@2 @@ -489,9 +487,9 @@ Create SBOM for remote `busybox:latest` image.
OCI Evidence store -Valint supports both storage and verification flows for `attestations` and `statement` objects utilizing OCI registry as an evidence store. +Valint supports both storage and verification flows for `attestations` and `statement` objects utilizing the OCI registry as an evidence store. -Using OCI registry as an evidence store allows you to upload, download and verify evidence across your supply chain in a seamless manner. +Using the OCI registry as an evidence store allows you to upload, download, and verify evidence across your supply chain in a seamless manner. Related flags: * `oci` Enable OCI store. diff --git a/docs/integrating-scribe/ci-integrations/bitbucket.md b/docs/integrating-scribe/ci-integrations/bitbucket.md index 00288f358..1502b4c20 100644 --- a/docs/integrating-scribe/ci-integrations/bitbucket.md +++ b/docs/integrating-scribe/ci-integrations/bitbucket.md @@ -286,12 +286,11 @@ pipelines: # Scribe integration ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -2. Create an API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. :::note Important -The token is a secret and will not be accessible from the UI after you finalize the token generation. +The token is a secret and will not be accessible from the UI after you finalize the token generation. ::: ### 2. Add the API token to the Bitbucket secrets @@ -609,4 +608,4 @@ pipelines: OCI_REPO: [oci_repo] ``` -
\ No newline at end of file +
diff --git a/docs/integrating-scribe/ci-integrations/circleci.md b/docs/integrating-scribe/ci-integrations/circleci.md index 9eede33d3..57210c2bd 100644 --- a/docs/integrating-scribe/ci-integrations/circleci.md +++ b/docs/integrating-scribe/ci-integrations/circleci.md @@ -8,10 +8,8 @@ Use the following instructions to integrate your CircleCI with Scribe. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. -2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. - :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. ::: @@ -61,4 +59,4 @@ Scribe offers custom CircleCI Orbs for easier integration of CircleCI workflows ### Resources * **[CircleCI ScribeHub Orb Registry Page](https://circleci.com/orbs/registry/orb/scribe-security/orbs)** - The official registry page of the ScribeHub orb for all versions, executors, commands, and jobs described. -* **[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration)** - Docs for using, creating, and publishing CircleCI Orbs. \ No newline at end of file +* **[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration)** - Docs for using, creating, and publishing CircleCI Orbs. diff --git a/docs/integrating-scribe/ci-integrations/general.md b/docs/integrating-scribe/ci-integrations/general.md index 96cc5d7d1..88ec53af7 100644 --- a/docs/integrating-scribe/ci-integrations/general.md +++ b/docs/integrating-scribe/ci-integrations/general.md @@ -9,9 +9,9 @@ toc_max_heading_level: 5 Use the following instructions to integrate Scribe with your local host or with any CI platform that has no specific reference in Scribe's documentation. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. + :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. ::: @@ -44,4 +44,4 @@ At the end of a build: Generate SBOM of the built image is created. $HOME/.scribe/bin/valint bom -f ``` -> To explicitly set a secret, you may use the `-P` flag. \ No newline at end of file +> To explicitly set a secret, you may use the `-P` flag. diff --git a/docs/integrating-scribe/ci-integrations/gitlabci.md b/docs/integrating-scribe/ci-integrations/gitlabci.md index 073b70923..8d16cf9c5 100644 --- a/docs/integrating-scribe/ci-integrations/gitlabci.md +++ b/docs/integrating-scribe/ci-integrations/gitlabci.md @@ -7,9 +7,8 @@ sidebar_position: 3 Use the following instructions to integrate your GitLab pipelines with Scribe. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. @@ -517,4 +516,4 @@ scribe-gitlab-job: > Use `gitlab` as context-type. -
\ No newline at end of file +
diff --git a/docs/integrating-scribe/ci-integrations/jenkins.md b/docs/integrating-scribe/ci-integrations/jenkins.md index c6ab39d48..c9d47f8c8 100644 --- a/docs/integrating-scribe/ci-integrations/jenkins.md +++ b/docs/integrating-scribe/ci-integrations/jenkins.md @@ -8,9 +8,8 @@ title: Integrating Scribe in your Jenkins pipeline Use the following instructions to integrate your Jenkins pipelines with Scribe. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -2. Create an API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. diff --git a/docs/integrating-scribe/ci-integrations/tekton.md b/docs/integrating-scribe/ci-integrations/tekton.md index ef4215b6f..e8c3cad4b 100644 --- a/docs/integrating-scribe/ci-integrations/tekton.md +++ b/docs/integrating-scribe/ci-integrations/tekton.md @@ -6,9 +6,9 @@ title: Integrating Scribe in your Tekton Pipelines Use the following instructions to integrate your Tekton pipelines with Scribe. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. + :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. ::: diff --git a/docs/integrating-scribe/ci-integrations/travis.md b/docs/integrating-scribe/ci-integrations/travis.md index 60e84fc6d..3b98846bb 100644 --- a/docs/integrating-scribe/ci-integrations/travis.md +++ b/docs/integrating-scribe/ci-integrations/travis.md @@ -6,9 +6,9 @@ sidebar_position: 6 Use the following instructions to integrate your Travis CI pipelines with Scribe. ### 1. Obtain a Scribe Hub API Token -1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. +Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration. + :::note Important The token is a secret and will not be accessible from the UI after you finalize the token generation. ::: diff --git a/docs/quick-start/README.md b/docs/quick-start/README.md new file mode 100644 index 000000000..74e34096a --- /dev/null +++ b/docs/quick-start/README.md @@ -0,0 +1,154 @@ +--- +sidebar_label: "Quickstart" +title: Quickstarting with a basic example +sidebar_position: 1 +toc_min_heading_level: 2 +toc_max_heading_level: 5 +--- + +# **Get Started with a Simple Example** + +This guide provides a basic example of generating a **signed SBOM** and a **signed provenance document** for your builds using **Valint,** Scribe’s CI/CD agent. + +Valint enables you to: +- Generate SBOMs +- Collect security evidence +- Perform integrity checks +- Enforce security guardrails in your build pipelines + +## **1. Set Up Your Project** +- Choose a **GitHub project** that builds container images, or fork our **[demo project](https://github.com/Scribe-public-demos/demo-project)** to get started quickly. +- Using **GitLab, Azure Pipelines, or another CI platform?** Refer to [integration guides](https://scribe-security.netlify.app/docs/integrating-scribe/ci-integrations/). + +## **2. Generate a Scribe API Token** +- Obtain your API token from **[Scribe Hub](https://app.scribesecurity.com/account/tokens?modal=openCreateTokenModal)**. +- Add it to your **GitHub secrets** as **`SCRIBE_API_TOKEN`** following [GitHub's documentation on secrets](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). + +## **3. Modify Your Image Build Workflow** +Add the following steps to your existing **GitHub Actions workflow** (e.g., `build-image.yaml`): + +```yaml +- name: Generate signed SBOM for Docker image + uses: scribe-security/action-bom@master + permissions: + contents: read + id-token: write # Required for Sigstore signing + with: + target: your-image:tag # Replace with your actual image name and tag + product-key: My-Product + product-version: 1.0.0 + scribe-client-secret: ${{ secrets.SCRIBE_API_TOKEN }} + format: attest + +- name: Generate signed SLSA Provenance for Docker image + uses: scribe-security/action-slsa@master + permissions: + contents: read + id-token: write # Required for Sigstore signing + with: + target: your-image:tag # Replace with your actual image name and tag + product-key: My-Product + product-version: 1.0.0 + scribe-client-secret: ${{ secrets.SCRIBE_API_TOKEN }} + format: attest +``` + +### **Notes:** +- Replace **`your-image:tag`** with your actual Docker image name and tag, such as `my-app:latest`. +- This workflow can also be triggered manually in GitHub Actions. More details are available in [GitHub's documentation](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow). + +## **4. View Your SBOM & Analysis, and SLSA Provenance** +- Go to **[Scribe Hub → Products](https://app.scribesecurity.com/producer-products)**. +- Select your product to review the **SBOM, security insights, and SLSA provenance** (available under the **Evidence** tab). + +--- + +# **Continue with a Discovery Example** + +This example runs a **discovery process** on your GitHub organization to map assets and security posture. + +The workflow is available on GitHub: **[GitHub Discovery Workflow](https://github.com/scribe-public/reusable-workflows/blob/main/.github/workflows/github-discovery-101)** + +### **Steps to Run the Discovery Workflow:** +1. Replace **``** with your **GitHub organization name**. +2. Provide **organization read permissions** to `GH_TOKEN` (your GitHub token). + - Generate a **Fine-Grained Personal Access Token (PAT)** with **read access** to `organization` and `repository metadata` in [GitHub Developer Settings](https://github.com/settings/tokens). + - More details are available in [GitHub's documentation](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#managing-pat-access-to-your-organization). + +```yaml +name: Github-Discovery-101 + +env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} + ORG_NAME: + SCRIBE_PRODUCT_NAME: Hello-GitHub-Discovery + SCRIBE_PRODUCT_VERSION: "1.0.1" + SCRIBE_TOKEN: ${{ secrets.SCRIBE_API_TOKEN }} + LOG_LEVEL: DEBUG + db.local.store_policy: replace + valint.scribe.client-secret: ${{ secrets.SCRIBE_API_TOKEN }} + +on: + workflow_dispatch: + +concurrency: + group: build-in-${{ github.ref }} + cancel-in-progress: true + +jobs: + GitHub-Discovery: + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Find five most recently active repos + run: | + curl -s -H "Authorization: token $GITHUB_TOKEN" \ + "https://api.github.com/orgs/$ORG_NAME/repos?sort=updated&per_page=5" | jq -r '.[].full_name' > repo_list.txt + cat repo_list.txt + repo_scope="--repository.mapping " + while IFS= read -r repo; do + repo_scope+="$repo::$SCRIBE_PRODUCT_NAME::$SCRIBE_PRODUCT_VERSION " + done < repo_list.txt + echo "REPO_SCOPE="$repo_scope >> $GITHUB_ENV + + - name: Generate a signed deliverable SBOM + uses: scribe-security/action-bom-cli@master + with: + target: 'git:.' + product-key: ${{ env.SCRIBE_PRODUCT_NAME }} + product-version: ${{ env.SCRIBE_PRODUCT_VERSION }} + scribe-client-secret: ${{ env.SCRIBE_TOKEN }} + components: commits,packages,files,dep + format: attest + + - name: GitHub Discover + uses: scribe-security/action-platforms@master + with: + command: discover + platform: github + args: + --${{ env.REPO_SCOPE }} + --token=${{ env.GITHUB_TOKEN }} + --url=https://api.github.com + --scope.organization=${{ env.ORG_NAME }} + --commit.skip + --scope.branch=main + --workflow.skip + --organization.mapping=scribe-security::$SCRIBE_PRODUCT_NAME::$SCRIBE_PRODUCT_VERSION +``` + +--- + +# **Next Steps** + +Additional guides for securing and managing your software supply chain: +- **[Managing SBOMs & Vulnerabilities](../../guides/manag-sbom-and-vul)** +- **[Securing Software with SLSA Framework](../../guides/secure-sfw-slsa)** +- **[Enforcing SDLC Policies](../../guides/enforcing-sdlc-policy)** +- **[Achieving SSDF Compliance](../../guides/ssdf-compliance)** +- **[Securing Your Builds](../../guides/securing-builds)** diff --git a/docs/quick-start/demo.md b/docs/quick-start/demo.md deleted file mode 100644 index 0751e46df..000000000 --- a/docs/quick-start/demo.md +++ /dev/null @@ -1,86 +0,0 @@ ---- -sidebar_label: "Demo Project" -title: Demo Project -sidebar_position: 1 -toc_min_heading_level: 2 -toc_max_heading_level: 5 ---- - -### Scribe sample project - -This is a demo deployment of Scribe on a sample git project consisting of a source code repository and a simple CI pipeline implemented using Git workflows. Running the provided workflow will demonstrate how to use Scribe’s tools to generate signed evidence (AKA attestations) from 3 stages of the CI pipeline. - -The evidence created will be uploaded to the Scribe Hub, and allow the platform to validate the integrity of the build, provide a detailed SBOM of the build, scan the build for vulnerabilities, and map the licenses of the software components used in the build. The only pre-requisite for running the demo is a personal GitHub account and a Scribe Hub account. - -To run the demo perfoem the follwoing steps: - -1. Clone the [demo repo](https://github.com/Scribe-public-demos/demo-project "demo repo") to your GitHub account. This repo contains a simple npm ‘Hello-World’ app. -2. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free"). -3. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration. - -:::note Important -The token is a secret and will not be accessible from the UI after you finalize the token generation. -::: - -4. Create a new secret in your cloned repo for the Scribe Hub API token. - - - On GitHub, go to the main page of the repository. - - - Under your repository name, click `Settings`. If you cannot see the `Settings` tab, select the dropdown menu, then click `Settings`. - - github-settings - - - In the `Security` section of the sidebar, select `Secrets and variables`, then click `Actions`. - - - At the top of the page, click `New repository secret`. - - - Type 'SCRIBE_TOKEN' as name for your secret in the `Name` input box. - - - Enter the value for your token. - - - Click `Add secret`. - -5. You can now run a workflow to create an attestation of the last version committed and pushed to Git. This attestation represents the 'source of truth' regarding the project's source code. Once you have created and stored this attestation it is quite difficult for a potential adversary to tamper with the code anywhere down the pipeline. In the demo project page, go to Actions. -Click ‘I understand my workflows, go ahead and enable them’. - - I understand my workflows - -You will be redirected to the 'Actions' tab: - - demo-project-actions - - From the actions available on the left panel select *`Create signed git commit sbom`* and click `Run workflow`. Once the workflow finished executing, a signed attestation (an SBOM) has been generated and automatically uploaded to your Scribe Hub account. - -6. At this point you can run the build pipeline - build the project and containerize it. You can do this by running the *`Create signed git clone and signed image SBOMs`* workflow. As the name suggests, this workflow will generate a signed SBOM of the git repo cloned into the pipeline and another signed SBOM of the final built docker image. - - Both attestations will be uploaded to your Scribe Hub account. Now you can view the project details on the **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** **products** page of your Scribe Hub account. - -### Quick tour of the Scribe Hub - -The first page you see when you log into your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** is your **Products** page. - -Products page - -You will see a demo project. Since you have just run the sample project's workflows, running a pipeline, generating evidence, and uploading it to Scribe Hub, you'll see your new project under the default demo project. - -The **Products** page shows you your products along with some basic information: How many subscribers have you added to this product, when the latest version of it was created (the last pipeline run), how many components were identified in the project, if the source code integrity was verified or not, how many high (or higher) vulnerabilities were identified, and how the project stands in terms of compliance to the SSDF and SLSA frameworks. - -Clicking on a product will show you all the product's builds and their information: - -Product builds page - -For each build you can see its version ID, the build date, if the source code integrity was verified or not, the number and severity of vulnerabilities, how that build stands in terms of compliance, whether the build was published and if its signature was verified. - -for more information click on any of the builds and you'll get to the build dashboard: - -Product build dashboard page - -The dashboard is your main access to see this build's reports. You can see a summary of the build's compliance information to each of the frameworks, you can see a summary of the vulnerability information, and you can see the integrity validation information. - -### Where to go next -* To learn more about what you can see, learn, and access about your build and your product look at the **[reports guide](../scribe-hub-reports/)** section. -* To learn how to create and manage SBOMs and vulnerabilities go to this **[guide](../guides/manag-sbom-and-vul)**. -* To learn about Scribe's use of the SLSA framework go to this **[guide](../guides/secure-sfw-slsa)**. -* To learn about enforcing SDLC policies go to this **[guide](../guides/enforcing-sdlc-policy)**. -* To learn how to achieve SSDF compliance go to this **[guide](../guides/ssdf-compliance)**. -* To learn how to secure your builds go to this **[guide](../guides/securing-builds)**. diff --git a/docs/quick-start/set-up-integration/_category_.json b/docs/quick-start/set-up-integration/_category_.json deleted file mode 100644 index 9b4abfe84..000000000 --- a/docs/quick-start/set-up-integration/_category_.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "label": "Setting up an integration", - "position": 2 -} \ No newline at end of file diff --git a/docs/quick-start/set-up-integration/set-up-azure.md b/docs/quick-start/set-up-integration/set-up-azure.md deleted file mode 100644 index a62c3777b..000000000 --- a/docs/quick-start/set-up-integration/set-up-azure.md +++ /dev/null @@ -1,159 +0,0 @@ ---- -sidebar_label: "Azure" -sidebar_position: 3 -title: Setting up an integration in Azure Pipelines -toc_min_heading_level: 2 -toc_max_heading_level: 5 ---- - -### The steps to take to integrate Azure Pipelines with Scribe Hub - -1. If you haven't yet done so, open a free Scribe Hub account **[here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free")**. - - -2. Get your **Client Secret** credentials from your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** **Integrations** page. - -Scribe Integration Secrets - -3. Login to your **[Azure](https://portal.azure.com/#home)** account. - -4. Follow the **[install-an-extension](https://learn.microsoft.com/en-us/azure/devops/marketplace/install-extension?view=azure-devops&tabs=browser#install-an-extension)** instructions to install our **[Valint-task](https://marketplace.visualstudio.com/items?itemName=ScribeSecurity.valint-cli)** from the Azure marketplace. - -Azure marketplace
- -Azure marketplace
- -Azure marketplace
- -Azure marketplace
- -Azure marketplace
- -Azure marketplace
- -Azure marketplace - -4. Create a new project or go to an existing project - -Azure project - -5. Inside the project create a new repository (repo) if you don't already have one you want to use Valint with an Azure pipeline on - -Azure repos - -New Azure repository - -6. Open your Azure DevOps project repository and make sure you have a YAML file named `azure-pipelines.yml` Or just click on `Create a new pipeline`. - -New Azure pipeline - -azure-pipelines.yml - -7. Add the Scribe code example shown below to your `azure-pipelines.yml` file. - -:::note -***[Refer to this Azure document to configure runners.](https://learn.microsoft.com/en-us/azure/devops/pipelines/?view=azure-devops#:~:text=Manage%20agents%20%26%20self%2Dhosted%20agents)*** -::: - -```yaml -trigger: - branches: - include: - - main - -jobs: -- job: scribe_azure_job - displayName: 'Scribe Azure Job' - pool: - name: {Update pool name here} # Example: Mikey - agent: {Update agent name here} # Example: azure-runner-ubuntu - - variables: - imageName: 'pipelines-javascript-docker' - - steps: - - task: scribeInstall@0 - - - task: ValintCli@0 - inputs: - command: bom - target: nginx - format: statement - outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint - scribeEnable: true - scribeClientId: $(CLIENTID) - scribeClientSecret: $(CLIENTSECRET) - - - task: ValintCli@0 - inputs: - command: verify - target: nginx - inputFormat: statement - outputDirectory: $(Build.ArtifactStagingDirectory)/scribe/valint - scribeEnable: true - scribeClientId: $(CLIENTID) - scribeClientSecret: $(CLIENTSECRET) -``` -azure-pipelines.yml - -8. Add the credentials to your Azure environment according to the **[Azure DevOps - Set secret variables](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables?view=azure-devops&tabs=yaml%2Cbash "Azure DevOps - Set secret variables")**: - * Go to the **Pipelines** page, select the appropriate pipeline, and then select **Edit**. - * Locate the **Variables** for this pipeline. - - Azure Pipeline Variables - - * Add or update the variable. - - Azure Pipeline Variables - - Azure Pipeline Variables - - * Select the **Secret** lock icon to store the variable in an encrypted manner. - - Azure Pipeline Variables - - * **Save** the pipeline. - - Azure Pipeline Variables - -9. You can now run the pipeline you created for your repository. - -Save and Run Azure Pipeline - -Azure Pipeline Run - -10. To add your own policies to the pipeline check out **[this guide](../../guides/enforcing-sdlc-policy#policies-and-policy-modules)**. - -11. To capture 3rd party tool results in the pipeline and turn it into evidence, check out **[this guide](../../guides/manag-sbom-and-vul#ingesting-reports-from-application-security-scanners)**. - -### Where to go on Scribe Hub - -Now that you've created your first set of evidence you can log into your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** to view the results. - -The first place you can look into to make sure your evidence has been uploaded properly is the **[Evidence report](../../scribe-hub-reports/evidence)**. The evidence report shows all the evidence you have collected and uploaded to Scribe Hub from all your pipelines and projects. - -To see more details on your pipeline you can check out the **[Product page](../../scribe-hub-reports/product)** - -Products page - -The **products** page shows you your products along with some basic information: How many subscribers have you added to this product, when the latest version of it was created (the last pipeline run), how many components were identified in the project, if the source code integrity was verified or not, how many high (or higher) vulnerabilities were identified, and how the project stands in terms of compliance to the SSDF and SLSA frameworks. - -Clicking on a product will show you all the product's builds and their information: - -Product builds page - -For each build you can see its version ID, the build date, if the source code integrity was verified or not, the number and severity of vulnerabilities, how that build stands in terms of compliance, whether the build was published and if its signature was verified. - -for more information on the pipeline you just completed, click on the last build uploaded (the top of the list) and you'll get to the build dashboard: - -Product build dashboard page - -The dashboard is your main access to see this build's **[reports](../../scribe-hub-reports/)**. You can see a summary of the build's compliance information to each of the frameworks, you can see a summary of the vulnerability information, and you can see the integrity validation information. - -### Where to go next -* To learn more about what you can see, learn, and access about your build and your product look at the **[reports guide](../../scribe-hub-reports/)** section. -* To learn how to create and manage SBOMs and vulnerabilities go to this **[guide](../../guides/manag-sbom-and-vul)**. -* To learn about Scribe's use of the SLSA framework go to this **[guide](../../guides/secure-sfw-slsa)**. -* To learn about enforcing SDLC policies go to this **[guide](../../guides/enforcing-sdlc-policy)**. -* To learn how to achieve SSDF compliance go to this **[guide](../../guides/ssdf-compliance)**. -* To learn how to secure your builds go to this **[guide](../../guides/securing-builds)**. diff --git a/docs/quick-start/set-up-integration/set-up-github.md b/docs/quick-start/set-up-integration/set-up-github.md deleted file mode 100644 index 79eada73b..000000000 --- a/docs/quick-start/set-up-integration/set-up-github.md +++ /dev/null @@ -1,335 +0,0 @@ ---- -sidebar_label: "GitHub" -title: Setting up an integration in GitHub -sidebar_position: 1 -toc_min_heading_level: 2 -toc_max_heading_level: 5 ---- - -### The steps to take to integrate a GitHub repository with Scribe Hub - -1. If you haven't yet done so, open a free Scribe Hub account **[here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free")**. - - -2. Get your **Client Secret** credentials from your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** **Integrations** page. - -Scribe Integration Secrets - -3. Login to your **[GitHub](https://github.com)** account. - -4. Go to the repository you wish to integrate with Scribe. - -5. Define two new `Secret` variables for your repository. -To do that, go to settings → Secrets and variables → Actions → New repository secret. - - - Under your repository name, click `Settings`. If you cannot see the `Settings` tab, select the dropdown menu, then click `Settings`. - - github-settings - - - In the `Security` section of the sidebar, select `Secrets and variables`, then click `Codespaces`. - - Secrets and variables
- Codespaces - - - At the top of the new page, click the green `New repository secret` button. - - New repository secret - - - Type a name for your secret in the `Name` input box. you need to add each secret in turn, first `CLIENT_ID` and then `CLIENT_SECRET`. Enter the value for your secret. In both cases the secret value is the one you get from your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** **Integrations** page. - - New secret - - - Click `Add secret`. - - Add secret - -6. Now that you have added the `CLIENT_ID` and `CLIENT_SECRET` variables to your repository you can add the Scribe code snippets into your YAML workflows. This guide assumes you're adding all possible evidence collection points. - - -
- To add automatic evidence collection (a signed SBOM) after each commit - - Assuming that you do not yet have an existing pipeline workflow, you need to create a new YAML file under the `.github/workflows/` folder in the root folder of your repository. - - Repository Workflows - - If the folder dosn't exist, create it. - - In the folder create a new file called `create-signed-git-commit-sbom.yml`. Here's the file's code: - - ```yaml - name: Create signed git commit sbom - - on: push - - build: - runs-on: ubuntu-latest - - permissions: - id-token: write # workload identity access needed for signing using sigstore-github - - steps: - - uses: actions/checkout@v3 - - - name: Generate signed git SBOM - uses: scribe-security/action-bom@master - with: - target: 'git:.' - product-key: ${{ github.repository }} - scribe-client-secret: ${{ secrets.CLIENT_SECRET }} - label: is_git_commit - format: attest - - ``` - - The `on: push` segment of this workflow means that whenever there is a `push` into this repository, a new signed SBOM of the repository will be sent to the evidence store of your Scribe hub. - - Once this evidence is uploaded to your Scribe Hub you'd be able to see it on your **[evidence report](../../scribe-hub-reports/evidence)**. - -
- - -
- To add automatic evidence collection (a signed SBOM) to your GitHub pipeline workflow - - Assuming that you do not yet have an existing pipeline workflow, you need to create a new YAML file under the `.github/workflows/` folder in the root folder of your repository. - - Repository Workflows - - This new file is going to be your GitHub pipeline to create the final image from your repository. - - If you already have an existing pipeline workflow open the YAML file. - - You need to add Scribe code snippets in 2 main locations: - -
    -
  • Right after the code pull at the start of the pipeline.
  • -
  • Right after the image is built at the end of the pipeline.
  • -

- - If you are building multiple images, make sure you add the second Scribe code snippet (`Generate signed SBOM for docker image`) after each one. - - Since each pipeline is different this example will only contain just the Scribe code as an example. - - ```yaml - name: Create signed git clone and image SBOMs - - on: workflow_dispatch - - jobs: - - build: - runs-on: ubuntu-latest - - permissions: - contents: read - packages: write - id-token: write - - steps: - - uses: actions/checkout@v3 - - - name: Generate signed SBOM for repo content - # Used after git clone at the begining of the pipeline - uses: scribe-security/action-bom@master - with: - target: 'git:.' - components: packages,files,dep - scribe-client-secret: ${{ secrets.CLIENT_SECRET }} - format: attest - - - name: Build the Docker image - # This is a stand in step for whatever needs to happen in your pipeline culminating with building a docker image from the repository - run: docker build . -t ${{ github.repository }}:${{ github.sha }} - - - name: Generate signed SBOM for docker image - # Used after a docker image is built - uses: scribe-security/action-bom@master - with: - target: 'docker:scribe-demo-product:${{ github.sha }}' - - product-key: ${{ github.repository }}:${{ github.sha }} - scribe-client-secret: ${{ secrets.CLIENT_SECRET }} - format: attest - ``` - - Every time you run the workflow the evidence will be generated and uploaded to your Scribe Hub automatically. You'd be able to see the evidence on your **[evidence report](../../scribe-hub-reports/evidence)**. - - You'll also see a new build version added to the appropriate project: - - Product builds page - - Clicking on the latest added build will allow you to explore all it's relevent information, **[reports](../../scribe-hub-reports)**, and insights through the build dashboard: - - Product build dashboard page - -
- - -
- To add SLSA provenance statement collection to your GitHub pipeline workflow - - In order to add SLSA provenance generation to your GitHub pipeline workflow you must first connect the Scribe GitHub app to your organizational GitHub account. - - To do that: - -
    -
  1. - To start the integration go to your [Scribe Hub account](https://scribehub.scribesecurity.com/ "Scribe Hub Link"). On the left options column go to the integrations option.
    - Scribe Integrations -
  2. -
  3. - On the integrations page scroll down to the Source Control section:
    - Source Control -
  4. -
  5. - Press the connect button. That will lead you to a page like this:
    - Install ScribeApp -
  6. -
  7. - Choose the GitHub account you want to integrate the ScribeApp with. Make sure you have owner access to the account to allow the app integration. Make sure the account is organizational - the integration won't work with a private account.

    - Once you have chosen the account you wish to integrate with ScribeApp GitHub you will get the following window:
    - Install ScribeApp Integration -
  8. -
  9. - Choose the access level you wish to grant ScribeApp. You can choose to allow it access to all repositories or just select repositories. Note that repositories that are not covered by the ScribeApp will not be able to produce the SLSA provenance.

    - After reviewing the access granted to ScribeApp go ahead and approve it by pressing the big green button.
    - Green button -
  10. -
  11. - Next, you'll be directed to GitHub to approve your access by inputting your password.
    - Approve access -
  12. -
  13. - You get redirected to the integrations page. There is now a green checkmark next to the GitHub icon in the Source Control section:
    - Approve access -
  14. -

- - Now that you have connected the Scribe GitHub app to your organizational GitHub account you can add the SLSA provenance generation code snipet to the end of your build pipeline. - - Here's the code you should add to your pipeline workflow YAML file after the final docker image is created: - - ```yaml - - name: Generate SLSA provenance statement - id: valint_slsa_statement - uses: scribe-security/action-bom@master - with: - target: 'docker:${{ github.repository }}:${{ github.sha }}' - format: statement-slsa - - -uses: actions/upload-artifact@v4 - with: - name: provenance - path: ${{ steps.valint_slsa_statement.outputs.OUTPUT_PATH }} - - ``` - - And here's a full example pipeline: - - ```yaml - name: Create signed git clone and image SBOMs - - on: workflow_dispatch - - jobs: - - build: - runs-on: ubuntu-latest - - permissions: - contents: read - packages: write - id-token: write - - steps: - - uses: actions/checkout@v3 - - - name: Generate signed SBOM for repo content - # Used after git clone at the begining of the pipeline - uses: scribe-security/action-bom@master - with: - target: 'git:.' - components: packages,files,dep - scribe-client-secret: ${{ secrets.CLIENT_SECRET }} - format: attest - - - name: Build the Docker image - # This is a stand in step for whatever needs to happen in your pipeline culminating with building a docker image from the repository - run: docker build . -t ${{ github.repository }}:${{ github.sha }} - - - name: Generate signed SBOM for docker image - # Used after a docker image is built - uses: scribe-security/action-bom@master - with: - target: 'docker:${{ github.repository }}:${{ github.sha }}' - product-key: ${{ github.repository }}:${{ github.sha }} - scribe-client-secret: ${{ secrets.CLIENT_SECRET }} - format: attest - - - name: Generate SLSA provenance statement - id: valint_slsa_statement - uses: scribe-security/action-bom@master - with: - target: 'docker:${{ github.repository }}:${{ github.sha }}' - format: statement-slsa - - -uses: actions/upload-artifact@v4 - with: - name: provenance - path: ${{ steps.valint_slsa_statement.outputs.OUTPUT_PATH }} - ``` - - To see that provenance information you need to go to the **Actions** tab in your GitHub repository. - - Actions tab - - There you can examine the workflows and actions you have run on this GitHub repository. Once you have run a workflow that includes the SLSA provenance generation you'll be able to find the resulting file at the bottom of the page: - - SLSA provenance file - - The provenance information is in in-toto format and looks like this: - - SLSA Provenance in-toto format - - In your Scribe hub, having a SLSA provenance added can be seen in your **[compliance report](../../scribe-hub-reports/compliance)**: - - SLSA provenance available - -
- -7. To add your own policies to the pipeline check out **[this guide](../../guides/enforcing-sdlc-policy#policies-and-policy-modules)**. - -8. To capture 3rd party tool results in the pipeline and turn it into evidence, check out **[this guide](../../guides/manag-sbom-and-vul#ingesting-reports-from-application-security-scanners)**. - -### Where to go on Scribe Hub - -Now that you've created your first set of evidence you can log into your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** to view the results. - -The first place you can look into to make sure your evidence has been uploaded properly is the **[Evidence report](../../scribe-hub-reports/evidence)**. The evidence report shows all the evidence you have collected and uploaded to Scribe Hub from all your pipelines and projects. - -To see more details on your pipeline you can check out the **Product page** - -Products page - -The **products** page shows you your products along with some basic information: How many subscribers have you added to this product, when the latest version of it was created (the last pipeline run), how many components were identified in the project, if the source code integrity was verified or not, how many high (or higher) vulnerabilities were identified, and how the project stands in terms of compliance to the SSDF and SLSA frameworks. - -Clicking on a product will show you all the product's builds and their information: - -Product builds page - -For each build you can see its version ID, the build date, if the source code integrity was verified or not, the number and severity of vulnerabilities, how that build stands in terms of compliance, whether the build was published and if its signature was verified. - -for more information on the pipeline you just completed, click on the last build uploaded (the top of the list) and you'll get to the build dashboard: - -Product build dashboard page - -The dashboard is your main access to see this build's **[reports](../../scribe-hub-reports/)**. You can see a summary of the build's compliance information to each of the frameworks, you can see a summary of the vulnerability information, and you can see the integrity validation information. - -### Where to go next -* To learn more about what you can see, learn, and access about your build and your product look at the **[reports guide](../../scribe-hub-reports/)** section. -* To learn how to create and manage SBOMs and vulnerabilities go to this **[guide](../../guides/manag-sbom-and-vul)**. -* To learn about Scribe's use of the SLSA framework go to this **[guide](../../guides/secure-sfw-slsa)**. -* To learn about enforcing SDLC policies go to this **[guide](../../guides/enforcing-sdlc-policy)**. -* To learn how to achieve SSDF compliance go to this **[guide](../../guides/ssdf-compliance)**. -* To learn how to secure your builds go to this **[guide](../../guides/securing-builds)**. - - - diff --git a/docs/quick-start/set-up-integration/set-up-jenkins.md b/docs/quick-start/set-up-integration/set-up-jenkins.md deleted file mode 100644 index 31bd4fc5b..000000000 --- a/docs/quick-start/set-up-integration/set-up-jenkins.md +++ /dev/null @@ -1,180 +0,0 @@ ---- -sidebar_position: 2 -sidebar_label: "Jenkins" -title: Setting up an integration in Jenkins -toc_min_heading_level: 2 -toc_max_heading_level: 5 ---- - -### The steps to take to integrate Jenkins with Scribe Hub - -1. If you haven't yet done so, open a free Scribe Hub account **[here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free")**. - - -2. Get your **Client Secret** credentials from your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** **Integrations** page. - -Scribe Integration Secrets - -3. Login to your Jenkins Web Console. - Jenkins login - -4. Select **Dashboard> Manage Jenkins> Manage credentials (under Security options)**. - Jenkins Dashboard - Manage credentials - -5. Select 'Global' in the list of domains: - Jenkins Global domain - -6. To add Client Secret, in the **Global credentials** area, click **+ Add Credentials**. A new **Credentials** form will open. - Jenkins Add Credentials - -7. Apply the **Client Secret** provided by Scribe to the **Password**, Username can be filled in with anything. - Jenkins Credentials Username/Password - -8. Set **ID** to **`scribe-auth-id`** (lowercase). - Jenkins Credentials ID - -9. Click **Create**. - Jenkins Credentials Create - -10. Click on 'Dashboard' to go to the main dashboard - Manage Jenkins - -11. Click on 'New Item' - Jenkins New Item - -12. Create a new folder such as 'integration-scribe-in-jenkins'. Click on 'New Folder' to create it once you enter the name and then click 'ok'. - Jenkins New Item - -13. Click 'Apply' and then 'Save'. - Jenkins Apply - -14. Now to create the pipeline, click on 'New Item' - Jenkins New Item - -15. Name it 'install-valint-pipeline'. Click on 'New Pipeline' to create it once you enter the name and then click 'ok'. - Jenkins New Pipeline - -16. Once you created a pipeline a new job is created. Click on the job: - Jenkins Job - -17. Scroll down till you reach a 'pipeline' section and add the following script: - Jenkins Job - -### Jenkins pipeline JavaScript code example - -```javascript -pipeline { - agent any - stages { - stage('checkout') { - steps { - cleanWs() - sh 'git clone -b v1.0.0-alpha.4 --single-branch https://github.com/mongo-express/mongo-express.git mongo-express-scm' - } - } - - stage('sbom') { - agent { - docker { - image 'scribesecurity/valint:latest' - reuseNode true - args "--entrypoint=" - } - } - steps { - withCredentials([token(credentialsId: 'scribe-auth-id', variable: 'SCRIBE_TOKEN')]) { - sh ''' - valint bom dir:mongo-express-scm \ - --context-type jenkins \ - --output-directory ./scribe/valint \ - -P $SCRIBE_TOKEN ''' - } - } - } - - stage('image-bom') { - agent { - docker { - image 'scribesecurity/valint:latest' - reuseNode true - args "--entrypoint=" - } - } - steps { - withCredentials([token(credentialsId: 'scribe-auth-id', variable: 'SCRIBE_TOKEN')]) { - sh ''' - valint bom mongo-express:1.0.0-alpha.4 \ - --context-type jenkins \ - --output-directory ./scribe/valint \ - -P $SCRIBE_TOKEN ''' - } - } - } - } -} -``` -:::note -The above pipeline script is an example. It connects to the GitHub repository [https://github.com/mongo-express/mongo-express.git](https://github.com/mongo-express/mongo-express.git), clones it and creates an image for it. - -An SBOM is created after the clone is done and after the image has been created. - -The above example was created under the assumption that you're using **Jenkins over Docker**. If you have a different version of Jenkins like **Jenkins over Kubernetes (K8s)** or **Jenkins Vanilla (No Agent)** you can find the needed JavaScript needed to create your pipeline in our full **[Jenkins Documentation](../../integrating-scribe/ci-integrations/jenkins#procedure)**. -::: - -18. Click 'Apply' and then 'Save'.
- Jenkins Apply - -19. Click on 'Build now' to run the pipeline: - Jenkins Build - -20. Click on the '#' to see the pipeline log output - Jenkins Log - Jenkins Log - -21. To add your own policies to the pipeline check out **[this guide](../../guides/enforcing-sdlc-policy#policies-and-policy-modules)**. - -22. To capture 3rd party tool results in the pipeline and turn it into evidence, check out **[this guide](../../guides/manag-sbom-and-vul#ingesting-reports-from-application-security-scanners)**. - - - -### Where to go on Scribe Hub - -Now that you've created your first set of evidence you can log into your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** to view the results. - -The first place you can look into to make sure your evidence has been uploaded properly is the **[Evidence report](../../scribe-hub-reports/evidence)**. The evidence report shows all the evidence you have collected and uploaded to Scribe Hub from all your pipelines and projects. - -To see more details on your pipeline you can check out the **Product page** - -Products page - -The **products** page shows you your products along with some basic information: How many subscribers have you added to this product, when the latest version of it was created (the last pipeline run), how many components were identified in the project, if the source code integrity was verified or not, how many high (or higher) vulnerabilities were identified, and how the project stands in terms of compliance to the SSDF and SLSA frameworks. - -Clicking on a product will show you all the product's builds and their information: - -Product builds page - -For each build you can see its version ID, the build date, if the source code integrity was verified or not, the number and severity of vulnerabilities, how that build stands in terms of compliance, whether the build was published and if its signature was verified. - -for more information on the pipeline you just completed, click on the last build uploaded (the top of the list) and you'll get to the build dashboard: - -Product build dashboard page - -The dashboard is your main access to see this build's **[reports](../../scribe-hub-reports/)**. You can see a summary of the build's compliance information to each of the frameworks, you can see a summary of the vulnerability information, and you can see the integrity validation information. - -### Where to go next -* To learn more about what you can see, learn, and access about your build and your product look at the **[reports guide](../../scribe-hub-reports/)** section. -* To learn how to create and manage SBOMs and vulnerabilities go to this **[guide](../../guides/manag-sbom-and-vul)**. -* To learn about Scribe's use of the SLSA framework go to this **[guide](../../guides/secure-sfw-slsa)**. -* To learn about enforcing SDLC policies go to this **[guide](../../guides/enforcing-sdlc-policy)**. -* To learn how to achieve SSDF compliance go to this **[guide](../../guides/ssdf-compliance)**. -* To learn how to secure your builds go to this **[guide](../../guides/securing-builds)**. diff --git a/docs/release-notes/rns.md b/docs/release-notes/rns.md index 3a12a7a5b..d74bcb370 100644 --- a/docs/release-notes/rns.md +++ b/docs/release-notes/rns.md @@ -1,21 +1,67 @@ -# Scribe Hub -*Last modified November 3, 2024* -## Scribe Hub Version 1.23.0 -*Novemeber 4, 2024* +# Scribe Hub +*Last modified: May 29, 2025* +--- + +## Version 1.43.2 (May 29, 2025) + +### Improvements +- Under **Products ▸ `` ▸ Findings**, users can now review uploaded findings from third-party application-security scanners. +- Added simplified policies for handling scanner findings to the catalog. +- Support for ingesting CycloneDX v1.6 SBOMs. +- Vulnerability tables enhancements: + - Filter by dependency-relationship type (Direct vs. Transitive). + - Display full vulnerability description. + - Show associated CWEs. +- **Analytics (Early Access)** improvements: + - New Vulnerability Risk dashboard. + - Pull end-of-life data from endoflife.date. +- **Usability**: + - New sidebar filter on the Products page. + - Minor improvements to email alerts. + +--- + +## Version 1.30.3 (January 29, 2025) ### Improvements -#### Discovery Asset table -- Added Parent asset as property in the Asset table. +- **Team Homepage** + - Relocated the **Overview** dashboard (formerly under Reports) to become the team’s home page. +- **Account** + - Renamed **Settings** to **Account**. + - Moved the **User Logs** dashboard from Reports into Accounts. +- **SBOMs (SBOM Inventory)** + - Renamed the **Reports** section to **SBOMs**. + - In the SBOM dashboard: + - Added a **Relation** column showing whether a dependency is direct or transitive. + - “More” dialog now displays related dependencies (parent or child). + - Added a new funnel chart under SBOMs ▸ Vulnerabilities to visualize issue prioritization. +- **Policy** + - Moved the Evidence dashboard (formerly under Reports) into Policy. + - Added filtering by Evidence ID. + - Exposed Evidence ID in the “More” dialog. + - Discovery-collected evidence now shows **Signer ID** like other evidence types. -- Added 'More' link to asset line for extended info. -- Canceled the Lineage tab which became redundant as a result of the above change. -- Improved loading time of tables, filter, and graph. +### Behavior Changes +- Deprecated the SLSA dashboard under Reports; SLSA findings are now accessible via the Policy ▸ Evaluation dashboard. + +--- + +## Version 1.23.0 (November 4, 2024) -## Scribe Hub Version 1.21.0 ### Improvements -#### Attestation Signing -- Sign with AWS KMS keys. -#### SLSA Verification -- Compliance with SLSA level 1 and 2 is validated by the client (valint). This replaces the previous implementation and standardized on the policy as code model. +- **Discovery** + - In the Asset table: + - Added **Parent asset** as a column. + - Replaced the Lineage tab with a “More” link for extended info. + - Improved load times for tables, filters, and graphs. + +--- +## Version 1.21.0 + +### Improvements +- **Attestation** + - Sign attestations with AWS KMS keys. +- **SLSA Verification** + - Client-side validation for SLSA Levels 1 & 2 standardized via a policy-as-code model, replacing the previous implementation. diff --git a/docs/scribe-api/README.md b/docs/scribe-api/README.md index f3de53210..fa910a306 100644 --- a/docs/scribe-api/README.md +++ b/docs/scribe-api/README.md @@ -6,109 +6,23 @@ toc_min_heading_level: 2 toc_max_heading_level: 5 --- - -The first step in accessing Scribe's API is getting an API key. Scribe uses the auth0 **[client credentials flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-client-credentials-flow)** to enable you to retrieve an API key. +# Accessing the Scribe Security API -To request a token run this script: -``` -curl --request POST \ - --url 'https://scribe-hub-production.us.auth0.com/oauth/token' \ - --header 'content-type: application/x-www-form-urlencoded' \ - --data grant_type='client_credentials' \ - --data client_id=YOUR_CLIENT_ID \ - --data client_secret=YOUR_CLIENT_SECRET \ - --data audience='api.production.scribesecurity.com' -``` -The `CLIENT_ID` and `CLIENT_SECRET` in this script are the same `CLIENT_ID` and `CLIENT_SECRET` you can retrieve from your **[Scribe Hub](https://scribehub.scribesecurity.com/ "Scribe Hub Link")** **Integrations** page. +Scribe provides a **Swagger API**, which you can explore **[here](https://api.scribesecurity.com/v1/swaggerui)**. -Scribe Integration Secrets +For working usage examples, visit our **[GitHub repository](https://github.com/scribe-security/api-examples)**. -The response to the token request looks like this: -``` -{ - "access_token":"eyJz93a...k4laUWw", - "token_type":"Bearer", - "expires_in":86400 -} -``` -The `access_token` in the response is your API key. +## Steps to Access the API -Scribe uses **[swagger-client](https://www.npmjs.com/package/swagger-client)** to enable access to our API. Swagger-client is a JavaScript module that allows you to fetch, resolve, and interact with OpenAPI documents to resolve API calls. +Follow these steps to authenticate and start using the Scribe API: -To use it you should first download and install swagger-client. If the Python package is hosted on GitHub, you can install it directly from GitHub +1. **Generate an API Token** + - Navigate to **[Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens)**. + - Create a new API token. -```sh -pip install git+https://github.com//.git -``` -(you may need to run `pip` with root permission: `sudo pip install git+https://github.com//.git`) +2. **Obtain a JWT Token** + - Call the `/v1/login` API endpoint. + - Refer to the **[Swagger documentation](https://api.scribesecurity.com/v1/swaggerui#/login)** for request details. + - The `access_token` in the response is your API key. -Then import the package: -```python -import swagger_client -``` - -### Setuptools - -Install via [Setuptools](http://pypi.python.org/pypi/setuptools). - -```sh -python setup.py install --user -``` -(or `sudo python setup.py install` to install the package for all users) - -Then import the package: -```python -import swagger_client -``` - -## Getting Started - -Please follow the installation procedure and then run the following: - -```python -from __future__ import print_function -import time -import swagger_client -from swagger_client.rest import ApiException -from pprint import pprint - -# Configure API key authorization: JWT -configuration = swagger_client.Configuration() -configuration.api_key['Authorization'] = 'YOUR_API_KEY' -# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed -# configuration.api_key_prefix['Authorization'] = 'Bearer' - -# create an instance of the API class -api_instance = swagger_client.DatasetApi(swagger_client.ApiClient(configuration)) -body = swagger_client.LoginRequest() # LoginRequest | (optional) - -try: - # This endpoint is used to get an admin token, either use client-id and secret OR the refresh token. - api_response = api_instance.get_admin_token_action(body=body) - pprint(api_response) -except ApiException as e: - print("Exception when calling DatasetApi->get_admin_token_action: %s\n" % e) - -``` - -## Documentation for API Endpoints - -All URIs are relative to *http://localhost:4000* - -Class | Method | HTTP request | Description ------------- | ------------- | ------------- | ------------- -*DatasetApi* | get_admin_token_action | **GET** /dataset/token | This endpoint is used to get an admin token, either use client-id and secret OR the refresh token. -*DatasetApi* | get_datasets_action | **POST** /dataset/data | This endpoint is used to retrieve data from a dataset with a filter. -*DatasetApi* | list_datasets_input_action | **GET** /dataset | This endpoint is used to list the available datasets with their schema. -*DefaultApi* | dataset | **POST** /dataset/token | This endpoint is used to exchange a team product key with a superset data-access token. -*EvidenceApi* | delete_evidence_action | **DELETE** /evidence/\{file_id\} | Delete evidence object. -*EvidenceApi* | download_evidence_action | **GET** /evidence/\{file_id\} | Create pre-signed URL to POST file content. -*EvidenceApi* | finish_upload_evidence_action | **POST** /evidence/finish | Mark file transfer as finished. -*EvidenceApi* | list_evidence_action | **POST** /evidence/list | Get a list of processes for specific queries. -*EvidenceApi* | upload_evidence_action | **POST** /evidence | Create pre-signed URL to POST file content. - - - -### API Usage Examples - -You can find working usage examples **[here](https://github.com/scribe-security/api-examples)**. \ No newline at end of file +Once authenticated, you can use this token to access other API endpoints securely. diff --git a/docusaurus.config.js b/docusaurus.config.js index 09bc040e5..2e9fcbf6b 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -85,10 +85,7 @@ const config = { "introducing-scribe/what-is-scribe.md", "introducing-scribe/scribe-hub.md", "introducing-scribe/stand-alone.md", - "quick-start/demo.md", - "quick-start/set-up-integration/set-up-github.md", - "quick-start/set-up-integration/set-up-jenkins.md", - "quick-start/set-up-integration/set-up-azure.md", + "quick-start/README.md", "guides/manag-sbom-and-vul.md", "guides/secure-sfw-slsa/README.md", "guides/secure-sfw-slsa/slsa-lvl-1.md",