Comments (3)
The actual reporting UI will be implemented soon
from chain-bench.
Hi @krol3,
I really like your idea, we will work on adding SLSA level as part of each checks metadata soon.
Meantime, Do you have in mind any expected behavior that you wish to see when running chain-bench?
Thanks,
Mor
from chain-bench.
Hi! @morwn, what about the output of this new SLSA report?
how can I see in the output, if it's following the SLSA level "slsa_level": [1,2,3,4] ?
Currently the output is like this:
chain-bench version 0.1.3
2.3.1 Ensure all build steps are defined as code Passed
2.3.5 Ensure access to the build process's triggering is minimized Unknown Organization is not fetched
2.3.7 Ensure pipelines are automatically scanned for vulnerabilities Passed
2.3.8 Ensure scanners are in place to identify and prevent sensitive data in pipeline files Failed Repository is not scanned for secrets
2.4.2 Ensure all external dependencies used in the build process are locked Failed 6 task(s) are not pinned
2.4.6 Ensure pipeline steps produce an SBOM Failed 2 pipeline(s) contain a build job without SBOM generation
3.1.7 Ensure dependencies are pinned to a specific, verified version Failed 6 dependencies are not pinned
3.2.2 Ensure packages are automatically scanned for known vulnerabilities Passed
3.2.3 Ensure packages are automatically scanned for license implications Passed
4.2.3 Ensure user's access to the package registry utilizes MFA Unknown Registry is not fetched
4.2.5 Ensure anonymous access to artifacts is revoked Unknown Registry is not fetched
4.3.4 Ensure webhooks of the package registry are secured Passed
-------- ----------------------------------------------------------------------------------------------- --------- -----------------------------------------------------------
Total Passed Rules: 9 out of 26
2022-08-21 16:49:18 INF Scan completed: 4s
from chain-bench.
Related Issues (20)
- GitLab CI/CD failed HOT 5
- How many checks are in GitLab scan HOT 1
- Self-hosted SCM support
- link to compliance rules missing trailing slash HOT 1
- Sarif report for chain-bench
- chain-bench with gitlab
- Support Bitbucket server SCM
- Remove the needs for write permissions, and/or use fine grained permission tokens
- 1.1.16 and 1.1.17 producing false positives
- chain-bench does not work with gitlab if user id 1 does not exist
- Issue when the sub group has the same name as the repository
- Show showing all columns in the CLI table HOT 1
- output error while running the chain-bench scan HOT 12
- False positives in control `1.2.3` and control `1.2.4` HOT 1
- Does not work with corporative repository HOT 1
- scan locally a repository HOT 1
- New release? HOT 1
- Improve the output - help message HOT 2
- overview Risk HOT 1
- Using the json output is missing information about the repository HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chain-bench.