From df13d855cb4e333ffd1b4051b2da04760e7c5410 Mon Sep 17 00:00:00 2001 From: Raghav Kaul <8695110+raghavkaul@users.noreply.github.com> Date: Mon, 2 Oct 2023 08:18:15 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=96=20Update=20docs=20for=20Signed-Rel?= =?UTF-8?q?eases=20check=20(#3469)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update docs for signed-releases Signed-off-by: Raghav Kaul * update docs Signed-off-by: Raghav Kaul --------- Signed-off-by: Raghav Kaul Signed-off-by: Diogo Teles Sant'Anna --- docs/checks.md | 2 ++ docs/checks/internal/checks.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/checks.md b/docs/checks.md index 242258234a9..56b74a9df73 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -601,6 +601,8 @@ This check looks for the following filenames in the project's last five If a signature is found in the assets for each release, a score of 8 is given. If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given. +This check looks for the 30 most recent releases associated with an artifact. It ignores the source code-only releases that are created automatically by GitHub. + Note: The check does not verify the signatures. diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 55b3c154533..5ea4166e459 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -633,6 +633,8 @@ checks: If a signature is found in the assets for each release, a score of 8 is given. If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given. + This check looks for the 30 most recent releases associated with an artifact. It ignores the source code-only releases that are created automatically by GitHub. + Note: The check does not verify the signatures. remediation: - >-