Loading…
May 10-12, 2023
Vancouver, British Columbia, Canada + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2023 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Pacific Daylight Time (UTC/GMT -8). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Friday, May 12 • 11:00am - 11:40am
Verifying the Validity of Crowd-Sourced Results in the Open Source Community: The Scorecard GitHub Action and Sigstore - Naveen Srinivasan, Independent & Spencer Schrock, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.
The Scorecard GitHub Action is a tool that helps ensure the security of OSS projects and helps users determine the safety of their dependencies. The OSSF Scorecard is an automated tool that assesses many critical heuristics ("checks") associated with software security and assigns each check a score of 0-10. The results of the Scorecard action are automatically run on every repository when code is merged to the main branch and are stored in the Scorecard API, serving as the source of crowd-sourced results. The results crowd-sourced from the Action run need to be trustworthy. But the Action runs in a GitHub workflow controlled by the project maintainer who installed the Scorecard Action. This talk will go into the details of how we added integrity protection to the results. We will provide a comprehensive overview of how the Scorecard GitHub action uses Sigstore (cosign, fulcio, and rekor) to build this remote attestation mechanism. Using diagrams and code examples, we will uncover the workflow for validating rekor results and provide practical guidance for attendees. This interactive element of the talk will help the community understand the mechanics behind verifying the authenticity and integrity of crowd-sourced results.
Speakers
avatar for Naveen Srinivasan

Naveen Srinivasan

OSS Contributor, Indepedent
Naveen Srinivasan is a contributor and maintainer of multiple OpenSSF projects, a member and contributor to the Sigstoreorganization, and a contributor to the SLSA code base.His contributions have earned him recognition with Google Peer Bonus awards in 2021 and 2022. He has consistently contributed to the open-source community for an extended period, with no gaps in activity for the past two years.In addition to his technical contributions, He is a sought-after speaker at conferences, discussing topics related to supply chain security and mitigating... Read More →
avatar for Spencer Schrock

Spencer Schrock

Software Engineer, Google
Spencer is a software engineer in the Google Open Source Security Team (GOSST). He works on tooling to assess and remediate security risks in consuming open source.

Verifying the Validity of Crowd Sourced Results in the OSS pdf
Friday May 12, 2023 11:00am - 11:40am PDT
122 (Level 1)
  SupplyChainSecurityCon, Ensuring users know what Software Components Included