Skip to content

Commit

Permalink
Included additional information
Browse files Browse the repository at this point in the history 
Included additional information based on code review comments. 

Signed-off-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
  • Loading branch information
@naveensrinivasan
naveensrinivasan committed Dec 27, 2022
1 parent 62c76f3 commit 0c06f2d
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -257,8 +257,18 @@ jobs:
sarif_file: results.sarif
```
## Verifying the Authenticity and Integrity of Scorecard Results
The scorecard system uses several components from [sigstore](https://github.com/sigstore) to ensure tamper-resistant results. These components include cosign, fulcio, and rekor.
This diagram illustrates how Scorecard validates the authenticity and integrity of the results it produces.
Cosign helps to sign the scorecard action results with a cryptographic signature and stores the hash in a tamper-proof store called rekor, which uses technology based on Merkel trees (a specific type of data structure used in blockchain systems).
Fulcio is a free certificate authority that issues short-lived code signing certificates for OpenID Connect identities, such as email addresses. Cosign uses fulcio for ephemeral keys and certificates.
Rekor is a system that aims to provide an unchanging ledger of metadata generated within a software project's supply chain. It allows software maintainers and build systems to record signed metadata, which is then recorded in an immutable record using Merkel trees. Other parties can use this metadata to determine if they can trust the lifecycle of an object. Cosign stores the signed hash of the result in rekor to further enhance the tamper resistance of the scorecard system.
You can learn more about Merkel trees at this link: https://en.wikipedia.org/wiki/Merkle_tree
This diagram illustrates how Scorecard validates the authenticity and integrity of the results it produces.This process allows the repository owner to verify the authenticity and integrity of the scorecard results and make them available for others to access and use.
```mermaid
sequenceDiagram
Expand All @@ -275,4 +285,3 @@ api.securityscorecards.dev->>Scorecard action: Return status
1. The cosign library, which is embedded in the Scorecard action, signs and stores a hash of result.json file in the `rekor.sigstore.dev` service.
1. The result.json file is posted to the `api.securityscorecards.dev` service.
1. The `api.securityscorecards.dev` service validates the authenticity of the results with `rekor.sigstore.dev` before storing the results.
1. This process allows the repository owner to verify the authenticity and integrity of the scorecard results and make them available for others to access and use.

0 comments on commit 0c06f2d

Please sign in to comment.