Skip to content

Commit

Permalink
📖 Update docs for Signed-Releases check (ossf#3469)
Browse files Browse the repository at this point in the history
* Update docs for signed-releases

Signed-off-by: Raghav Kaul <[email protected]>

* update docs

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
  • Loading branch information
raghavkaul authored Oct 2, 2023
1 parent 7034306 commit c738750
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
2 changes: 2 additions & 0 deletions docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -600,6 +600,8 @@ This check looks for the following filenames in the project's last five
If a signature is found in the assets for each release, a score of 8 is given.
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.

This check looks for the 30 most recent releases associated with an artifact. It ignores the source code-only releases that are created automatically by GitHub.

Note: The check does not verify the signatures.


Expand Down
2 changes: 2 additions & 0 deletions docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -632,6 +632,8 @@ checks:
If a signature is found in the assets for each release, a score of 8 is given.
If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
This check looks for the 30 most recent releases associated with an artifact. It ignores the source code-only releases that are created automatically by GitHub.
Note: The check does not verify the signatures.
remediation:
- >-
Expand Down

0 comments on commit c738750

Please sign in to comment.