public
/
sigrev
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags 26 KiB
Go to file
Danny Grove 08231a4d22
Fix formatting issues and use a table to make layout cleaner 		2024-08-29 14:02:59 -07:00
README.md Fix formatting issues and use a table to make layout cleaner 2024-08-29 14:02:59 -07:00

README.md

Scrutinize Spec

April 24, 2024

Version: 0.1

Table of Contents

1. Introduction

1.1 Scope

This document describes scrutinize, a system for securing the way software is reviewed. scrutinize attests that software has been independently reviewed. It does so by providing users an interface

VCS Support

  • Git -- git+
  • Mercurial -- hg+
  • Subversion -- svn+

Format

Field Name Decription Required
version The version of the schema yes
reviewer RFC5322 name-addr format (eg. John Doe johndoe@example.com) yes
treehash sha256sum of treehashes yes
paths a list of filepaths reviewed or reproduced, can include globs yes
artifcts a list of built artificats with hashes if relevant no
vcs-ref VCS ref yes
type The type of review. Allowed values are: function, security, readability, reproducibility yes
confidence How confident are you in the type of review you did: low,medium,high yes
system.platform The platform used to build amd64,arm64,etc yes
system.cpu Information about the CPU used no
system.cores Number of cores in CPU no
system.location location of machine(mostly for reproducibility, if in 'the cloud' include the region e.g AWS:us-east-1, could also be ISO 3166-2) no
comments freeform text no

Security Review Example

version: 0.1
reviewer: Danny Grove <danny@dannygrove.com>
treehash: 9cc0641a294d3ee359ae474aef1a9a6a6657aeb2 
paths:
- ./* 
vcs-ref: git+https://github.com/drGrove/mtls-cli
type: "security",
confidence: "high"
system:
  platform: amd64
  location: "ISO3166-2:US-CA"
comments: |
  Very Secure, much wow

Reproducible Build Example(s)

version: 0.1
reviewer: Github Action <github-actions[bot]@users.noreply.github.com> 
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./* 
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
  platform: amd64
  location: "GHA" # Github Actions, if you're using self-hosted runners use the runners code. e.g. AWS:us-west-2

version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./* 
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
  platform: amd64
  location: "AWS:us-east-1"

version: 0.1
reviewer: Danny Grove
treehash: a5fc98c3950d7bb6bf083d5e7c08a91ffef990af
paths:
- ./* 
vcs-ref: git+https://git.distrust.co/public/enclaveos
type: "reproducibility",
confidence: "high"
system:
  platform: amd64
  location: "AWS:us-east-1"