sigrev/README.md

# Scrutinize Spec

April 24, 2024

Version: 0.1

## Table of Contents

- [Scruitinize Specification](#scrutinize-spec)
  - [Table of Contents](#table-of-contents)
  - [1 Introduction](#1-introduction)

## 1. Introduction

## 1.1 Scope

This document describes scrutinize, a system for securing the way software is
reviewed. scrutinize attests that software has been independently reviewed. It
does so by providing users an interface

VCS Support

* Git -- `git+`
* Mercurial -- `hg+`
* Subversion -- `svn+`


## Format

| Field Name | Decription | Required |
| :--- | :--- | :---: |
| version | The version of the schema | yes |
| reviewer | RFC5322 name-addr format (eg. John Doe <johndoe@example.com>) | yes |
| treehash | sha256sum of treehashes | yes |
| paths | a list of filepaths reviewed or reproduced, can include globs | yes |
| artifcts | a list of built artificats with hashes if relevant | no |
| vcs-ref | VCS ref | yes |
| type | The type of review. Allowed values are: function, security, readability, reproducibility | yes |
| confidence | How confident are you in the type of review you did: `low,medium,high` | yes |
| system.platform | The platform used to build `amd64,arm64,etc` | yes |
| system.cpu | Information about the CPU used | no |
| system.cores | Number of cores in CPU | no |
| system.location | location of machine(mostly for reproducibility, if in 'the cloud' include the region e.g AWS:us-east-1, could also be ISO 3166-2) | no |
| comments | freeform text | no |

### Security Review Example

```
version: 0.1
reviewer: Danny Grove <danny@dannygrove.com>
treehash: 9cc0641a294d3ee359ae474aef1a9a6a6657aeb2 
paths:
- ./* 
vcs-ref: git+https://github.com/drGrove/mtls-cli
type: "security",
confidence: "high"
system:
  platform: amd64
  location: "ISO3166-2:US-CA"
comments: |
  Very Secure, much wow
```

### Reproducible Build Example(s)

```
version: 0.1
reviewer: Github Action <github-actions[bot]@users.noreply.github.com> 
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./* 
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
  platform: amd64
  location: "GHA" # Github Actions, if you're using self-hosted runners use the runners code. e.g. AWS:us-west-2
```

```
version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./* 
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
  platform: amd64
  location: "AWS:us-east-1"
```

```
version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./* 
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
  platform: amd64
  location: "AWS:us-east-1"
```
Rough work on initial spec 2024-06-21 22:22:26 +00:00			`# Scrutinize Spec`

			`April 24, 2024`

			`Version: 0.1`

			`## Table of Contents`

			`- [Scruitinize Specification](#scrutinize-spec)`
			`- [Table of Contents](#table-of-contents)`
			`- [1 Introduction](#1-introduction)`

			`## 1. Introduction`

			`## 1.1 Scope`

			`This document describes scrutinize, a system for securing the way software is`
			`reviewed. scrutinize attests that software has been independently reviewed. It`
			`does so by providing users an interface`

			`VCS Support`

			* Git -- `git+`
			* Mercurial -- `hg+`
			* Subversion -- `svn+`


			`## Format`

Fix formatting issues and use a table to make layout cleaner 2024-08-29 20:27:55 +00:00			`\| Field Name \| Decription \| Required \|`
			`\| :--- \| :--- \| :---: \|`
			`\| version \| The version of the schema \| yes \|`
			`\| reviewer \| RFC5322 name-addr format (eg. John Doe <johndoe@example.com>) \| yes \|`
			`\| treehash \| sha256sum of treehashes \| yes \|`
			`\| paths \| a list of filepaths reviewed or reproduced, can include globs \| yes \|`
			`\| artifcts \| a list of built artificats with hashes if relevant \| no \|`
			`\| vcs-ref \| VCS ref \| yes \|`
			`\| type \| The type of review. Allowed values are: function, security, readability, reproducibility \| yes \|`
			\| confidence \| How confident are you in the type of review you did: `low,medium,high` \| yes \|
			\| system.platform \| The platform used to build `amd64,arm64,etc` \| yes \|
			`\| system.cpu \| Information about the CPU used \| no \|`
			`\| system.cores \| Number of cores in CPU \| no \|`
			`\| system.location \| location of machine(mostly for reproducibility, if in 'the cloud' include the region e.g AWS:us-east-1, could also be ISO 3166-2) \| no \|`
			`\| comments \| freeform text \| no \|`

			`### Security Review Example`

			```
Rough work on initial spec 2024-06-21 22:22:26 +00:00			`version: 0.1`
Fix formatting issues and use a table to make layout cleaner 2024-08-29 20:27:55 +00:00			`reviewer: Danny Grove <danny@dannygrove.com>`
			`treehash: 9cc0641a294d3ee359ae474aef1a9a6a6657aeb2`
Rough work on initial spec 2024-06-21 22:22:26 +00:00			`paths:`
Fix formatting issues and use a table to make layout cleaner 2024-08-29 20:27:55 +00:00			`- ./*`
			`vcs-ref: git+https://github.com/drGrove/mtls-cli`
			`type: "security",`
			`confidence: "high"`
Rough work on initial spec 2024-06-21 22:22:26 +00:00			`system:`
Fix formatting issues and use a table to make layout cleaner 2024-08-29 20:27:55 +00:00			`platform: amd64`
			`location: "ISO3166-2:US-CA"`
Rough work on initial spec 2024-06-21 22:22:26 +00:00			`comments: \|`
Fix formatting issues and use a table to make layout cleaner 2024-08-29 20:27:55 +00:00			`Very Secure, much wow`
			```

			`### Reproducible Build Example(s)`

			```
			`version: 0.1`
			`reviewer: Github Action <github-actions[bot]@users.noreply.github.com>`
			`treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af`
			`paths:`
			`- ./*`
			`vcs-ref: git+https://git.distrust.co/public/enclaveos`
			`type: "reproducibility",`
			`confidence: "high"`
			`system:`
			`platform: amd64`
			`location: "GHA" # Github Actions, if you're using self-hosted runners use the runners code. e.g. AWS:us-west-2`
			```

			```
			`version: 0.1`
			`reviewer: Danny Grove`
			`treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af`
			`paths:`
			`- ./*`
			`vcs-ref: git+https://git.distrust.co/public/enclaveos`
			`type: "reproducibility",`
			`confidence: "high"`
			`system:`
			`platform: amd64`
			`location: "AWS:us-east-1"`
			```

			```
			`version: 0.1`
			`reviewer: Danny Grove`
			`treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af`
			`paths:`
			`- ./*`
			`vcs-ref: git+https://git.distrust.co/public/enclaveos`
			`type: "reproducibility",`
			`confidence: "high"`
			`system:`
			`platform: amd64`
			`location: "AWS:us-east-1"`
			```