Import sigrev draft from scrutinize

This commit is contained in:
Lance Vick 2024-11-05 12:14:32 -08:00
parent 08231a4d22
commit de55d75595
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
1 changed files with 19 additions and 44 deletions

View File

@ -1,12 +1,10 @@
# Scrutinize Spec # SigRev Spec [DRAFT]
April 24, 2024 Version: 0.0
Version: 0.1
## Table of Contents ## Table of Contents
- [Scruitinize Specification](#scrutinize-spec) - [SigRev Specification](#SigRev-spec)
- [Table of Contents](#table-of-contents) - [Table of Contents](#table-of-contents)
- [1 Introduction](#1-introduction) - [1 Introduction](#1-introduction)
@ -14,9 +12,15 @@ Version: 0.1
## 1.1 Scope ## 1.1 Scope
This document describes scrutinize, a system for securing the way software is This document describes the SigRev specification. A sigrev is a signed document
reviewed. scrutinize attests that software has been independently reviewed. It in an specified format attesting to the either human or automated review of
does so by providing users an interface repositories of code in a software supply chain.
It is intended to be agnostic to any particular VCS or code distribution
method, however references to such systems where available will be defined
as possible to assist in making it easier for people to find reviews via
a range of distribution and search tools and databases which are out of scope
for this document.
VCS Support VCS Support
@ -24,7 +28,6 @@ VCS Support
* Mercurial -- `hg+` * Mercurial -- `hg+`
* Subversion -- `svn+` * Subversion -- `svn+`
## Format ## Format
| Field Name | Decription | Required | | Field Name | Decription | Required |
@ -47,11 +50,11 @@ VCS Support
``` ```
version: 0.1 version: 0.1
reviewer: Danny Grove <danny@dannygrove.com> reviewer: John Doe <jdoe@example.com>
treehash: 9cc0641a294d3ee359ae474aef1a9a6a6657aeb2 treehash: 9cc0641a294d3ee359ae474aef1a9a6a6657aeb2
paths: paths:
- ./* - ./*
vcs-ref: git+https://github.com/drGrove/mtls-cli vcs-ref: git+https://reposite.com/example-user/example-repo
type: "security", type: "security",
confidence: "high" confidence: "high"
system: system:
@ -65,39 +68,11 @@ comments: |
``` ```
version: 0.1 version: 0.1
reviewer: Github Action <github-actions[bot]@users.noreply.github.com> reviewer: Reproduction Bot <repro-bot@example.com>
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths: paths:
- ./* - ./*
vcs-ref: git+https://git.distrust.co/public/enclaveos vcs-ref: git+https://example.com/public/some-repo
type: "reproducibility",
confidence: "high"
system:
platform: amd64
location: "GHA" # Github Actions, if you're using self-hosted runners use the runners code. e.g. AWS:us-west-2
```
```
version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./*
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
platform: amd64
location: "AWS:us-east-1"
```
```
version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./*
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility", type: "reproducibility",
confidence: "high" confidence: "high"
system: system: