Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update threats.md to discuss SLSA Source Track #1187

Open
TomHennen opened this issue Oct 14, 2024 · 0 comments
Open

Update threats.md to discuss SLSA Source Track #1187

TomHennen opened this issue Oct 14, 2024 · 0 comments

Comments

@TomHennen
Copy link
Contributor

There's an entire section in threats.md about the SLSA Source Track. Before we finish the track we should update threats.md to talk about the source track specifically.

@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Oct 14, 2024
TomHennen added a commit to TomHennen/slsa that referenced this issue Oct 14, 2024
Using the same language we have for "Compromise build platform admin".

Filed slsa-framework#1187 to track

Fixes slsa-framework#1179.

Signed-off-by: Tom Hennen <[email protected]>
lehors added a commit that referenced this issue Oct 16, 2024
…1188)

Add mitigation for malicious source platform admin.

We didn't have any guidance for this threat. There are a number of ways
we may be able to address this in the future via the SLSA Source Track
and/or tools like gittuf. However, SLSA doesn't currently address them.
This entire section is already labeled as not being handled by SLSA but
does still include other mitigations.

I'm using the same language we have for "Compromise build platform
admin", which seems like the same sort of threat, and should work 'fine'
until we have something better.

Filed #1187 to track

Fixes #1179.

---------

Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Arnaud J Le Hors <[email protected]>
Co-authored-by: Arnaud J Le Hors <[email protected]>
@zachariahcox zachariahcox moved this to In review in SLSA Source Track Nov 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 🆕 New
Status: New!
Development

No branches or pull requests

1 participant