Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
fca3aed
Merge pull request #279 from scribe-security/dev
houdini91 Nov 4, 2024
156b86d
Merge pull request #285 from scribe-security/dev
houdini91 Dec 4, 2024
d520c69
Merge pull request #288 from scribe-security/dev
houdini91 Jan 13, 2025
1a542e3
RNs ver 1.30.3
code-luac Jan 29, 2025
69f6b67
RNs ver 1.30.3
code-luac Jan 29, 2025
4cb4459
Merge pull request #290 from scribe-security/code-luac-patch-2
code-luac Jan 29, 2025
e660f4e
Merge pull request #291 from scribe-security/dev
houdini91 Jan 30, 2025
e2d5889
fix: upgrade upload artifact to advanced version
dn-scribe Feb 10, 2025
26a55b1
feat: add markdown copy for use with LLM
dn-scribe Feb 10, 2025
0530cc5
fix: typo
dn-scribe Feb 10, 2025
c8e633c
fix: try with no -o
dn-scribe Feb 10, 2025
1fe472d
Merge pull request #292 from scribe-security/fix-pdf-workflow
dn-scribe Feb 10, 2025
c7e38c8
Update azure.md
code-luac Feb 19, 2025
8f179ae
Update azure.md
code-luac Feb 19, 2025
f19c82c
Update bitbucket.md
code-luac Feb 19, 2025
083ab22
Update circleci.md
code-luac Feb 19, 2025
32d5e1d
Update general.md
code-luac Feb 19, 2025
0184364
Update gitlabci.md
code-luac Feb 19, 2025
4e85601
Update jenkins.md
code-luac Feb 19, 2025
5a60ac3
Update tekton.md
code-luac Feb 19, 2025
f053203
Update travis.md
code-luac Feb 19, 2025
80c78ce
Update set-up-github.md
code-luac Feb 19, 2025
cfb0482
Update set-up-github.md
code-luac Feb 19, 2025
3875cd0
Create README.md
code-luac Feb 19, 2025
ee0128f
Delete docs/quick-start/demo.md
code-luac Feb 19, 2025
3a9c32b
Delete docs/quick-start/set-up-integration directory
code-luac Feb 19, 2025
4582026
Update README.md
code-luac Feb 19, 2025
8eebf62
Update README.md
code-luac Feb 19, 2025
8c264cb
Update docusaurus.config.js
code-luac Feb 19, 2025
2fd1bb9
Merge pull request #294 from scribe-security/code-luac-patch-3
guycherno Feb 20, 2025
4d600f4
Merge pull request #296 from scribe-security/dev
houdini91 Mar 12, 2025
a7f2eb2
Merge pull request #304 from scribe-security/dev
houdini91 May 20, 2025
e381c7d
Merge pull request #306 from scribe-security/dev
houdini91 May 27, 2025
4e19420
Merge pull request #307 from scribe-security/dev
houdini91 May 29, 2025
dd4dca9
Update rns.md
code-luac May 29, 2025
7c93e4e
Merge pull request #311 from scribe-security/code-luac-patch-7
guycherno May 30, 2025
3bdb9e8
Merge pull request #312 from scribe-security/dev
houdini91 Jun 5, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions .github/workflows/gen-pdf.yml

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mikey, this is used for providing AI a guide. Changes look fine.

Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,13 @@ jobs:
- name: build pdf
run: npx docusaurus-prince-pdf -u https://scribe-security.netlify.app/docs/introducing-scribe/what-is-scribe --output scribe-guide.pdf

- name: create markdown file
run: |
pip install markitdown
markitdown scribe-guide.pdf > scribe-guide.md

- name: upload artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4.6.0
with:
name: scribe-guide-pdf
path: scribe-guide.pdf
name: scribe-guide
path: scribe-guide.*
18 changes: 8 additions & 10 deletions docs/integrating-scribe/ci-integrations/azure.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,11 @@ Use the following instructions to integrate your Azure pipelines with Scribe.
### Installation
**[Valint-task](https://marketplace.visualstudio.com/items?itemName=ScribeSecurity.valint-cli)** Can be found in Azure marketplace. <br />
Follow **[install-an-extension](https://learn.microsoft.com/en-us/azure/devops/marketplace/install-extension?view=azure-devops&tabs=browser#install-an-extension)** to add the extension to your organization. <br />
Once you have the extension installed you can use the task in your pipeline.
Once you have the extension installed, you can use the task in your pipeline.

### 1. Obtain a Scribe Hub API Token

1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
Expand All @@ -35,7 +33,7 @@ Add the Scribe Hub API token as SCRIBE_TOKEN to your Azure environment by follow

#### Basic example
Generate an SBOM of an image built in the pipeline by adding a step to call Valint at the end of the build.
In your Azure DevOps project make sure you have a file named `azure-pipelines.yml` and add the following steps to it after the build step:
In your Azure DevOps project, make sure you have a file named `azure-pipelines.yml` and add the following steps to it after the build step:

```yaml
- job: scribe_azure_job
Expand Down Expand Up @@ -166,7 +164,7 @@ jobs:
</details>

<details>
<summary> Generate SLSA provenance for for an image built with local docker </summary>
<summary> Generate SLSA provenance for an image built with local docker </summary>

```YAML
- task: ValintCli@2
Expand All @@ -183,7 +181,7 @@ jobs:
<details>
<summary> Generate an SBOM for an image in a private registry </summary>

> Add a `docker login` task before the adding the following task:
> Add a `docker login` task before adding the following task:

```YAML
- task: ValintCli@2
Expand All @@ -200,7 +198,7 @@ jobs:
<details>
<summary> Generate SLSA provenance for an image in a private registry </summary>

> Before the following task add a `docker login` task
> Before the following task, add a `docker login` task

```YAML
- task: ValintCli@2
Expand Down Expand Up @@ -489,9 +487,9 @@ Create SBOM for remote `busybox:latest` image.
<details>
<summary> <b> OCI Evidence store </b></summary>

Valint supports both storage and verification flows for `attestations` and `statement` objects utilizing OCI registry as an evidence store.
Valint supports both storage and verification flows for `attestations` and `statement` objects utilizing the OCI registry as an evidence store.

Using OCI registry as an evidence store allows you to upload, download and verify evidence across your supply chain in a seamless manner.
Using the OCI registry as an evidence store allows you to upload, download, and verify evidence across your supply chain in a seamless manner.

Related flags:
* `oci` Enable OCI store.
Expand Down
7 changes: 3 additions & 4 deletions docs/integrating-scribe/ci-integrations/bitbucket.md
Original file line number Diff line number Diff line change
Expand Up @@ -286,12 +286,11 @@ pipelines:
# Scribe integration

### 1. Obtain a Scribe Hub API Token
1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create an API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
The token is a secret and will not be accessible from the UI after you finalize the token generation.
:::

### 2. Add the API token to the Bitbucket secrets
Expand Down Expand Up @@ -609,4 +608,4 @@ pipelines:
OCI_REPO: [oci_repo]
```

</details>
</details>
6 changes: 2 additions & 4 deletions docs/integrating-scribe/ci-integrations/circleci.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,8 @@ Use the following instructions to integrate your CircleCI with Scribe.

### 1. Obtain a Scribe Hub API Token

1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
:::
Expand Down Expand Up @@ -61,4 +59,4 @@ Scribe offers custom CircleCI Orbs for easier integration of CircleCI workflows
### Resources

* **[CircleCI ScribeHub Orb Registry Page](https://circleci.com/orbs/registry/orb/scribe-security/orbs)** - The official registry page of the ScribeHub orb for all versions, executors, commands, and jobs described.
* **[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration)** - Docs for using, creating, and publishing CircleCI Orbs.
* **[CircleCI Orb Docs](https://circleci.com/docs/2.0/orb-intro/#section=configuration)** - Docs for using, creating, and publishing CircleCI Orbs.
6 changes: 3 additions & 3 deletions docs/integrating-scribe/ci-integrations/general.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ toc_max_heading_level: 5
Use the following instructions to integrate Scribe with your local host or with any CI platform that has no specific reference in Scribe's documentation.

### 1. Obtain a Scribe Hub API Token
1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
:::
Expand Down Expand Up @@ -44,4 +44,4 @@ At the end of a build: Generate SBOM of the built image is created.
$HOME/.scribe/bin/valint bom <your_docker_repository:tag> -f
```

> To explicitly set a secret, you may use the `-P` flag.
> To explicitly set a secret, you may use the `-P` flag.
5 changes: 2 additions & 3 deletions docs/integrating-scribe/ci-integrations/gitlabci.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,8 @@ sidebar_position: 3
Use the following instructions to integrate your GitLab pipelines with Scribe.

### 1. Obtain a Scribe Hub API Token
1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
Expand Down Expand Up @@ -517,4 +516,4 @@ scribe-gitlab-job:

> Use `gitlab` as context-type.

</details>
</details>
3 changes: 1 addition & 2 deletions docs/integrating-scribe/ci-integrations/jenkins.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,8 @@ title: Integrating Scribe in your Jenkins pipeline
Use the following instructions to integrate your Jenkins pipelines with Scribe.

### 1. Obtain a Scribe Hub API Token
1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create an API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
Expand Down
4 changes: 2 additions & 2 deletions docs/integrating-scribe/ci-integrations/tekton.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ title: Integrating Scribe in your Tekton Pipelines
Use the following instructions to integrate your Tekton pipelines with Scribe.

### 1. Obtain a Scribe Hub API Token
1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
:::
Expand Down
4 changes: 2 additions & 2 deletions docs/integrating-scribe/ci-integrations/travis.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ sidebar_position: 6
Use the following instructions to integrate your Travis CI pipelines with Scribe.

### 1. Obtain a Scribe Hub API Token
1. Sign in to [Scribe Hub](https://app.scribesecurity.com). If you don't have an account you can sign up for free [here](https://scribesecurity.com/scribe-platform-lp/ "Start Using Scribe For Free").

2. Create a API token in [Scribe Hub > Settings > Tokens](https://app.scribesecurity.com/settings/tokens). Copy it to a safe temporary notepad until you complete the integration.
Create an API token in [Scribe Hub > Account > Tokens](https://app.scribesecurity.com/account/tokens). Copy it to a safe temporary notepad until you complete the integration.

:::note Important
The token is a secret and will not be accessible from the UI after you finalize the token generation.
:::
Expand Down
154 changes: 154 additions & 0 deletions docs/quick-start/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
---
sidebar_label: "Quickstart"
title: Quickstarting with a basic example
sidebar_position: 1
toc_min_heading_level: 2
toc_max_heading_level: 5
---

# **Get Started with a Simple Example**

This guide provides a basic example of generating a **signed SBOM** and a **signed provenance document** for your builds using **Valint,** Scribe’s CI/CD agent.

Valint enables you to:
- Generate SBOMs
- Collect security evidence
- Perform integrity checks
- Enforce security guardrails in your build pipelines

## **1. Set Up Your Project**

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@guycherno
Do you want to update this page to reflect the new scribe-public/demo-pipeline, that demos also platforms?

- Choose a **GitHub project** that builds container images, or fork our **[demo project](https://github.com/Scribe-public-demos/demo-project)** to get started quickly.
- Using **GitLab, Azure Pipelines, or another CI platform?** Refer to [integration guides](https://scribe-security.netlify.app/docs/integrating-scribe/ci-integrations/).

## **2. Generate a Scribe API Token**
- Obtain your API token from **[Scribe Hub](https://app.scribesecurity.com/account/tokens?modal=openCreateTokenModal)**.
- Add it to your **GitHub secrets** as **`SCRIBE_API_TOKEN`** following [GitHub's documentation on secrets](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@houdini91
Do platforms and valint work properly with both SCRIBE_API_TOKEN and SCRIBE_TOKEN? If not, we should align the documentation to whatever works by default.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think the meaning was SCRIBE_API_TOKEN is set here to be the secret name , SCRIBE_TOKEN is the env name.
Align it as you will


## **3. Modify Your Image Build Workflow**
Add the following steps to your existing **GitHub Actions workflow** (e.g., `build-image.yaml`):

```yaml
- name: Generate signed SBOM for Docker image
uses: scribe-security/action-bom@master
permissions:
contents: read
id-token: write # Required for Sigstore signing
with:
target: your-image:tag # Replace with your actual image name and tag
product-key: My-Product
product-version: 1.0.0
scribe-client-secret: ${{ secrets.SCRIBE_API_TOKEN }}
format: attest

- name: Generate signed SLSA Provenance for Docker image
uses: scribe-security/action-slsa@master
permissions:
contents: read
id-token: write # Required for Sigstore signing
with:
target: your-image:tag # Replace with your actual image name and tag
product-key: My-Product
product-version: 1.0.0
scribe-client-secret: ${{ secrets.SCRIBE_API_TOKEN }}
format: attest
```

### **Notes:**
- Replace **`your-image:tag`** with your actual Docker image name and tag, such as `my-app:latest`.
- This workflow can also be triggered manually in GitHub Actions. More details are available in [GitHub's documentation](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/manually-running-a-workflow).

## **4. View Your SBOM & Analysis, and SLSA Provenance**
- Go to **[Scribe Hub → Products](https://app.scribesecurity.com/producer-products)**.
- Select your product to review the **SBOM, security insights, and SLSA provenance** (available under the **Evidence** tab).

---

# **Continue with a Discovery Example**

This example runs a **discovery process** on your GitHub organization to map assets and security posture.

The workflow is available on GitHub: **[GitHub Discovery Workflow](https://github.com/scribe-public/reusable-workflows/blob/main/.github/workflows/github-discovery-101)**

### **Steps to Run the Discovery Workflow:**
1. Replace **`<your-github-org>`** with your **GitHub organization name**.
2. Provide **organization read permissions** to `GH_TOKEN` (your GitHub token).
- Generate a **Fine-Grained Personal Access Token (PAT)** with **read access** to `organization` and `repository metadata` in [GitHub Developer Settings](https://github.com/settings/tokens).
- More details are available in [GitHub's documentation](https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#managing-pat-access-to-your-organization).

```yaml
name: Github-Discovery-101

env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
ORG_NAME: <your-github-org>
SCRIBE_PRODUCT_NAME: Hello-GitHub-Discovery
SCRIBE_PRODUCT_VERSION: "1.0.1"
SCRIBE_TOKEN: ${{ secrets.SCRIBE_API_TOKEN }}
LOG_LEVEL: DEBUG
db.local.store_policy: replace
valint.scribe.client-secret: ${{ secrets.SCRIBE_API_TOKEN }}

on:
workflow_dispatch:

concurrency:
group: build-in-${{ github.ref }}
cancel-in-progress: true

jobs:
GitHub-Discovery:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Find five most recently active repos
run: |
curl -s -H "Authorization: token $GITHUB_TOKEN" \
"https://api.github.com/orgs/$ORG_NAME/repos?sort=updated&per_page=5" | jq -r '.[].full_name' > repo_list.txt
cat repo_list.txt
repo_scope="--repository.mapping "
while IFS= read -r repo; do
repo_scope+="$repo::$SCRIBE_PRODUCT_NAME::$SCRIBE_PRODUCT_VERSION "
done < repo_list.txt
echo "REPO_SCOPE="$repo_scope >> $GITHUB_ENV

- name: Generate a signed deliverable SBOM
uses: scribe-security/action-bom-cli@master
with:
target: 'git:.'
product-key: ${{ env.SCRIBE_PRODUCT_NAME }}
product-version: ${{ env.SCRIBE_PRODUCT_VERSION }}
scribe-client-secret: ${{ env.SCRIBE_TOKEN }}
components: commits,packages,files,dep
format: attest

- name: GitHub Discover
uses: scribe-security/action-platforms@master
with:
command: discover
platform: github
args:
--${{ env.REPO_SCOPE }}
--token=${{ env.GITHUB_TOKEN }}
--url=https://api.github.com
--scope.organization=${{ env.ORG_NAME }}
--commit.skip
--scope.branch=main
--workflow.skip
--organization.mapping=scribe-security::$SCRIBE_PRODUCT_NAME::$SCRIBE_PRODUCT_VERSION
```

---

# **Next Steps**

Additional guides for securing and managing your software supply chain:
- **[Managing SBOMs & Vulnerabilities](../../guides/manag-sbom-and-vul)**
- **[Securing Software with SLSA Framework](../../guides/secure-sfw-slsa)**
- **[Enforcing SDLC Policies](../../guides/enforcing-sdlc-policy)**
- **[Achieving SSDF Compliance](../../guides/ssdf-compliance)**
- **[Securing Your Builds](../../guides/securing-builds)**
Loading