Skip to content
Merged

Dev #325

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions docs/guides/secure-sfw-slsa/slsa-on-scale.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,6 @@ Behind the scenes, Scribe Platforms performs several steps to turn raw workflow
* **Run SLSA-compliance initiatives**
Once each provenance file is written, Scribe automatically executes the matching policy-as-code initiative (`slsa.l1` for unsigned L1, `slsa.l2` for signed L2).
The initiative verifies the evidence set, emits a SARIF report, and—when applicable—signs that report before attaching it as additional evidence.
* **Execute SLSA Compliance Initiatives**
After provenance generation, Scribe automatically applies relevant policy-as-code initiatives (`slsa.l1` or `slsa.l2`). These initiatives validate the evidence, generate a SARIF report detailing compliance status, and (for Level 2) sign this report as additional, verifiable evidence.


## 🧪 Example Usage L1 (Unsigned Provenance)

Expand Down
4 changes: 2 additions & 2 deletions docs/integrating-scribe/ci-integrations/github/action-bom.md
Original file line number Diff line number Diff line change
Expand Up @@ -177,15 +177,15 @@ To overcome the limitation install tool directly - **[installer](https://github.
Containerized action can be used on Linux runners as following
```yaml
- name: Generate cyclonedx json SBOM
uses: scribe-security/action-bom@v2.0.3
uses: scribe-security/action-bom@v2.0.4
with:
target: 'busybox:latest'
```

Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Generate cyclonedx json SBOM
uses: scribe-security/action-bom-cli@v2.0.3
uses: scribe-security/action-bom-cli@v2.0.4
with:
target: 'hello-world:latest'
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -142,15 +142,15 @@ The `valint evidence` action is a versatile action designed to include various t
Containerized action can be used on Linux runners as following
```yaml
- name: Include evidence derived from a file
uses: scribe-security/action-evidence@v2.0.3
uses: scribe-security/action-evidence@v2.0.4
with:
target: some_file.json
```

Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Include evidence derived from a file
uses: scribe-security/action-evidence-cli@v2.0.3
uses: scribe-security/action-evidence-cli@v2.0.4
with:
target: some_file.json
```
Expand Down
4 changes: 2 additions & 2 deletions docs/integrating-scribe/ci-integrations/github/action-slsa.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,15 +161,15 @@ To overcome the limitation install tool directly - [installer](https://github.co
Containerized action can be used on Linux runners as following
```yaml
- name: Generate SLSA provenance
uses: scribe-security/action-slsa@v2.0.3
uses: scribe-security/action-slsa@v2.0.4
with:
target: 'busybox:latest'
```

Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Generate cyclonedx json SBOM
uses: scribe-security/action-slsa-cli@v2.0.3
uses: scribe-security/action-slsa-cli@v2.0.4
with:
target: 'hello-world:latest'
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -182,15 +182,15 @@ Containerized action can be used on Linux runners as following
```yaml
- name: valint verify
id: valint_verify
uses: scribe-security/action-verify@v2.0.3
uses: scribe-security/action-verify@v2.0.4
with:
target: 'busybox:latest'
```

Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Generate cyclonedx json SBOM
uses: scribe-security/action-verify-cli@v2.0.3
uses: scribe-security/action-verify-cli@v2.0.4
with:
target: 'hello-world:latest'
```
Expand Down
106 changes: 33 additions & 73 deletions docs/platforms/bom.md

Large diffs are not rendered by default.

179 changes: 60 additions & 119 deletions docs/platforms/discover.md

Large diffs are not rendered by default.

126 changes: 39 additions & 87 deletions docs/platforms/evidence.md

Large diffs are not rendered by default.

31 changes: 30 additions & 1 deletion docs/platforms/hooks.md
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,7 @@ These hooks are provided by the `platforms` container along with required config
| Trivy Vulnerability Scan | trivy_image | repository | dockerhub | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | dockerhub | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | repository | github | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
| Trivy IaC and Secrets Scan (SARIF) | trivy_iac_and_secrets_sarif | repository | github | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
| Trivy Vulnerability Scan | trivy_image | repository | jfrog | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
| AppArmor Profile Check | apparmor_namespace | namespace | k8s | apparmor | json | |
| Kubescape Cluster Scan | kubescape_cluster | namespace | k8s | kubescape | kubescape | [Apache-2.0](https://github.com/kubescape/kubescape/blob/master/LICENSE) |
Expand Down Expand Up @@ -174,6 +175,34 @@ run: |

<details>

<summary>Trivy IaC and Secrets Scan (SARIF)</summary>

```yaml
name: Trivy IaC and Secrets Scan (SARIF)
id: trivy_iac_and_secrets_sarif
type: repository
platform: github
command: discover
tool: trivy
parser: sarif
predicate-type: auto
allow_failure: false
use-stdout-evidence: false
license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
run: |
trivy repository \
--scanners misconfig,secret \
--exit-code 0 \
--format sarif \
--output $HOOK_OUTPUT_FILE \
${REPO_BRANCH:+--branch "$REPO_BRANCH"} \
${REPO_TAG:+--tag "$REPO_TAG"} \
$REMOTE_SOURCE_URL
```
</details>

<details>

<summary>Opengrep Static Analysis Scan</summary>

```yaml
Expand All @@ -190,7 +219,7 @@ license: '[LGPL-2.1](https://github.com/opengrep/opengrep/blob/main/LICENSE)'
predicate-type: auto
timeout: 300
run: |
opengrep scan --metrics=on --config auto --sarif -o "$HOOK_OUTPUT_FILE" "$LOCAL_SOURCE_DIR"
opengrep scan --debug --config auto --sarif -o "$HOOK_OUTPUT_FILE" "$LOCAL_SOURCE_DIR"
```
</details>

Expand Down
7 changes: 2 additions & 5 deletions docs/platforms/usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,18 +61,15 @@ In the following sections, we shall explain each command in detail, by going thr
-->
<!-- { "object-type": "command-output-start" } -->
```bash
usage: platforms [-h] [--config CONFIG] [--print_config [=flags]] [--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--log-file LOG_FILE]
[--db.local.path PATH]
{discover,evidence,bom,verify} ...
usage: platforms [-h] [--config CONFIG] [--print_config [=flags]] [--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--log-file LOG_FILE] [--db.local.path PATH] {discover,evidence,bom,verify} ...

CLI tool for collecting evidence and enforcing policies via CI/CD platform APIs

options:
-h, --help Show this help message and exit.
--config CONFIG Path to a configuration file.
--print_config [=flags]
Print the configuration after applying all other arguments and exit. The optional flags customizes the output and are one or more keywords
separated by comma. The supported flags are: comments, skip_default, skip_null.
Print the configuration after applying all other arguments and exit. The optional flags customizes the output and are one or more keywords separated by comma. The supported flags are: comments, skip_default, skip_null.
--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the logging level (default: INFO)
--log-file LOG_FILE Set the logging file (default: )
Expand Down
Loading
Loading