Giter Club home page Giter Club logo

scai-demos's Introduction

in-toto SCAI Generator and Demos

The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"), framework is a succinct data format specification for claims and evidence about attributes and integrity about a software artifact and its supply chain.

For more details read our intro doc or the full SCAI spec doc.

In this repo

This repo provides Go and Python implementations of CLI tools for automatically generating SCAI metadata compliant with the in-toto Attestation Framework.

A number of sample use cases for SCAI are implemented in examples/.

In addition, our Go scai-gen CLI tool supports policy checking of SCAI attestations against evidence. Example policies can be found in policies/.

The SCAI specification is hosted under the in-toto Attestation Framework as an attestation predicate.

All documentation can be found under docs/.

Usage

Read the usage doc for instructions on setup and tool invocation for Python and Go environments.

We encourage you to gain a basic understanding of the SCAI specification before using the scai-generator CLI tools in this repo.

For a full demo of how to use the Go scai-gen tools, read our [KubeCon + CloudNativeCon NA '23 doc].

Disclaimer

While the tools in this repo are conformant to the in-toto Attestation Framework, they do not generate authenticated SCAI attestations. The example use cases in this repo are only provided for illustrative purposes, and should not be used in production.

scai-demos's People

Contributors

adityasaky avatar alanssitis avatar dependabot[bot] avatar marcelamelara avatar pxp928 avatar santiagotorres avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

marcelamelara alanssitis mevbot-notcoin fengalex43

scai-demos's Issues

SGX demo?

The SCAI doc mentions an SGX-attested build of a binary with -fstack-protector, and I'm left wondering what the specified process is for checking the evidence in the SCAI predicate with an SGX quote. Is the environment evidence collection and evidence bundle format for attestation verification not part of the spec? This seems really close to CoRIM and its reference-values triple, but it's missing the evidence->reference checking description.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.