Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/in-toto/scai-demos

Software Supply Chain Attribute Integrity (SCAI) Demos and CLI tools
https://github.com/in-toto/scai-demos

attestations cli demos software-supply-chain-security

Last synced: about 1 month ago
JSON representation

Software Supply Chain Attribute Integrity (SCAI) Demos and CLI tools

Host: GitHub
URL: https://github.com/in-toto/scai-demos
Owner: in-toto
License: apache-2.0
Created: 2023-01-24T03:38:13.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-12-17T01:23:11.000Z (about 1 month ago)
Last Synced: 2024-12-17T01:44:51.959Z (about 1 month ago)
Topics: attestations, cli, demos, software-supply-chain-security
Language: Go
Homepage:
Size: 4.1 MB
Stars: 18
Watchers: 5
Forks: 4
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        # in-toto SCAI Generator and Demos

The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"),

framework is a succinct data format specification for claims and evidence about

attributes and integrity about a software artifact and its supply chain.

For more details read our [intro doc] or the full [SCAI spec doc].

## In this repo

This repo provides [Go](scai-gen/) and [Python](python/) implementations of

CLI tools for automatically generating SCAI metadata compliant with the

[in-toto Attestation Framework].

A number of sample use cases for SCAI are implemented in

[examples/](examples/).

In addition, our Go [scai-gen](scai-gen/) CLI tool supports policy checking of

SCAI attestations against evidence. Example policies can be found in

[policies/](policies/).

The [SCAI specification] is hosted under the

in-toto Attestation Framework as an attestation predicate.

All documentation can be found under [docs/](docs/).

## Usage

Read the [usage doc] for instructions on setup and tool invocation

for Python and Go environments.

We encourage you to gain a basic understanding of the [SCAI specification]

before using the scai-generator CLI tools in this repo.

For a full demo of how to use the Go [scai-gen](scai-gen/) tools, read our

[KubeCon + CloudNativeCon NA '23 doc].

## Disclaimer

While the tools in this repo are conformant to the

[in-toto Attestation Framework], they do not generate **authenticated** SCAI

attestations. The example use cases in this repo are only provided for

illustrative purposes, and should not be used in production.

[in-toto Attestation Framework]: https://github.com/in-toto/attestation/tree/main/spec

[intro doc]: docs/intro.md

[KubeCon + CloudNativeCon NA '23]: kccncna2023-demo/README.md

[usage doc]: docs/usage.md

[SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md

[SCAI spec doc]: https://arxiv.org/pdf/2210.05813.pdf