Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Welcome to the February edition of This Month in Minder, highlighting our latest project updates and community contributions!
Added support for Go in Minder, so that you can use the pr_trusty_check rule type to automatically add comments to PRs that contain Go dependencies with higher risk profiles.
Added new rule types to help you detect homoglyph attacks, like invisible characters and mixed scripts. (If you’re not sure what homoglyph attacks are, read this blog post for more background and how Minder can help.)
Added the following new parameters to the artifact signature rule type:
Repository specification: Define the exact repository that builds your artifact, such as https://github.com/stacklok/minder, ensuring the artifacts you publish for others to use originate from your expected trusted source.
Branch identification: Specify the branch, for instance, main, to narrow down the source of acceptable changes. This ensures that your artifact doesn’t come from a development branch or branch with malicious intent.
Signer identity: Define the Identify that builds your artifact. It could be a workflow or your email address that Sigstore used to generate short-lived Fulcio certificate. For example, you can specify your docker-image-build-push.yml workflow name to ensure that the artifact your project publishes was produced through approved CI/CD processes. This protects you from potential vulnerability where another person or a workflow gains access to your repository permissions and publishes in parallel a malicious version of your artifact.
Certificate issuer: Pinpoint the certificate issuer, e.g., https://token.actions.githubusercontent.com, to ensure artifacts are a result of specific, trusted processes.
Runner environment setting: Specify the environment, such as github-hosted, to validate the context in which the artifact was built. This allows you to further strengthen your posture in case you’re building artifacts on private GitHub runners.
Welcome new contributors @puerco and @dmjb!
Thanks to contributor @Vyom-Yadav for helping to fix rate limiting errors and a caching issue!
The sigstore-go library cut its first release, and now has sigstore bundle & rekor verification, Timestamp Authority verification, TUF support, and more.
Here’s how we used OpenFGA, a CNCF Sandbox project, to build Minder’s new multi-tenant, relationship-based authorization model. Thanks to the OpenFGA team for this solution; it’s helped us greatly simplify Minder’s codebase!
Check out our latest demo about how Minder can analyze new packages introduced in a pull request for their supply chain risk heuristics (using scores from trustypkg.dev) and active vulnerabilities (using the OSV.dev database from Google Open Source).
Take a look at our public roadmap to see what we’re releasing next!
To learn more and get started with Minder, visit our project repo.