public
/
sigrev
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import sigrev draft from scrutinize

This commit is contained in:
Lance Vick 2024-11-05 12:14:32 -08:00
parent 08231a4d22
commit de55d75595
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
1 changed files with 19 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
README.md → docs/spec.md
View File

@ -1,12 +1,10 @@
# Scrutinize Spec
# SigRev Spec [DRAFT]
April 24, 2024
Version: 0.1
Version: 0.0
## Table of Contents
- [Scruitinize Specification](#scrutinize-spec)
- [SigRev Specification](#SigRev-spec)
- [Table of Contents](#table-of-contents)
- [1 Introduction](#1-introduction)
@ -14,9 +12,15 @@ Version: 0.1
## 1.1 Scope
This document describes scrutinize, a system for securing the way software is
reviewed. scrutinize attests that software has been independently reviewed. It
does so by providing users an interface
This document describes the SigRev specification. A sigrev is a signed document
in an specified format attesting to the either human or automated review of
repositories of code in a software supply chain.
It is intended to be agnostic to any particular VCS or code distribution
method, however references to such systems where available will be defined
as possible to assist in making it easier for people to find reviews via
a range of distribution and search tools and databases which are out of scope
for this document.
VCS Support
@ -24,7 +28,6 @@ VCS Support
* Mercurial -- `hg+`
* Subversion -- `svn+`
## Format
| Field Name | Decription | Required |
@ -47,11 +50,11 @@ VCS Support
```
version: 0.1
reviewer: Danny Grove <danny@dannygrove.com>
reviewer: John Doe <jdoe@example.com>
treehash: 9cc0641a294d3ee359ae474aef1a9a6a6657aeb2
paths:
- ./*
vcs-ref: git+https://github.com/drGrove/mtls-cli
vcs-ref: git+https://reposite.com/example-user/example-repo
type: "security",
confidence: "high"
system:
@ -65,39 +68,11 @@ comments: |
```
version: 0.1
reviewer: Github Action <github-actions[bot]@users.noreply.github.com>
reviewer: Reproduction Bot <repro-bot@example.com>
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./*
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
platform: amd64
location: "GHA" # Github Actions, if you're using self-hosted runners use the runners code. e.g. AWS:us-west-2
```
```
version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./*
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
platform: amd64
location: "AWS:us-east-1"
```
```
version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./*
vcs-ref: git+https://git.distrust.co/public/enclaveos
vcs-ref: git+https://example.com/public/some-repo
type: "reproducibility",
confidence: "high"
system: