-
Notifications
You must be signed in to change notification settings - Fork 450
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include dependency verification in scorecard #664
Comments
Thanks for the suggestion. This is definitely something we should consider supporting long-term. We've been hesitant to add any check around signature verification so far, mostly because there does not seem to be a well rounded story around key management/discoverability/revokation. We need to take a second look. Related link for npm: https://docs.npmjs.com/verifying-the-pgp-signature-for-a-package-from-the-npm-public-registry There are other ongoing efforts like sigstore that are relevant. Any feedback, suggestion or ideas are welcome! |
I think we can work on Dependency verification check
@laurentsimon Thoughts? |
Agreed it's a great idea. We can start with the integrity part and implement it in the Pinned Dependency check. Is it what you had in mind too, @naveensrinivasan ? |
Yes, that's what I had in mind. For the first pass we check if the file exists and if it has |
@laurentsimon What about the score calculation? How should this affect the score? |
IIUC, the Are there any other subtleties we need to be aware of? For example, for Npm, #1174 was a surprise to me. |
This issue is stale because it has been open for 60 days with no activity. |
Discussed in 5/16 meeting: |
Dependency verification, as implemented by Gradle for example, allows verifying both checksums and signatures of dependencies actually used in a build. It is, IMHO, significantly more important than using an automated dependency upgrade tool, in comparison.
It would be great if this was actually considered in the score, since we strongly encourage users to enable dependency verification as a tool to reduce the risks of supply chain attacks.
The text was updated successfully, but these errors were encountered: