Removed unwanted changes to this PR. Fixed linting issues.

Signed-off-by: ZYonash <[email protected]>
buildsec · Feb 8, 2023 · 21db1dc · 21db1dc
1 parent 6d2ecb4
commit 21db1dc
Showing 1 changed file with 93 additions and 54 deletions.
diff --git a/docs/content/docs/slsa/frsca-slsa.md b/docs/content/docs/slsa/frsca-slsa.md
@@ -15,7 +15,8 @@ top = false
 
 ## Reminder on SLSA levels
 
-SLSA levels at a high level are as follows (table from [https://slsa.dev/spec/v0.1/levels#summary-of-levels](https://slsa.dev/spec/v0.1/levels#summary-of-levels)):
+SLSA levels at a high level are as follows (table from
+[https://slsa.dev/spec/v0.1/levels#summary-of-levels](https://slsa.dev/spec/v0.1/levels#summary-of-levels)):
 
 | **Level** | **Description**                        | **Example**                                           |
 | --------- | -------------------------------------- | ----------------------------------------------------- |
@@ -34,84 +35,122 @@ The full requirements table can be found here:
 frsca/examples/sample-pipeline
 ```
 
-For the purposes of this document, we're going to be comparing SLSA requirements to what we are deploying via the sample-pipeline.  Please read `frsca/examples/sample-pipeline/README.md` for information on setting up FRSCA and the sample pipeline.
+For the purposes of this document, we're going to be comparing SLSA requirements
+to what we are deploying via the sample-pipeline. Please read
+`frsca/examples/sample-pipeline/README.md` for information on setting up FRSCA
+and the sample pipeline.
 
 # SLSA 1 Requirements
 
-1. Build - [Scripted build](https://slsa.dev/spec/v0.1/requirements#scripted-build) **✅**
-2. Provenance - [Available](https://slsa.dev/spec/v0.1/requirements#available) ✅
+1. Build -
+   [Scripted build](https://slsa.dev/spec/v0.1/requirements#scripted-build)
+   **✅**
+2. Provenance - [Available](https://slsa.dev/spec/v0.1/requirements#available)
+   ✅
 
-`sample-pipeline` meets both of these requirements.  The build is scripted, which is evident in following individual steps from the `Makefile` down through the various shell scripts which setup the FRSCA environment and trigger the build via Tekton Pipelines.
+`sample-pipeline` meets both of these requirements. The build is scripted, which
+is evident in following individual steps from the `Makefile` down through the
+various shell scripts which setup the FRSCA environment and trigger the build
+via Tekton Pipelines.
 
-Because we're using Tekton Chains in conjunction with Tekton Pipelines, provenance is created and available, satisfying the last requirement of SLSA 1.
+Because we're using Tekton Chains in conjunction with Tekton Pipelines,
+provenance is created and available, satisfying the last requirement of SLSA 1.
 
 To prove, once the pipeline completes:
 
-```other
-> crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"            
-                                                                                                                                                                                            
-0066d00de427d12b9a14e56f02f302031d9c40f3
-sha256-e6dc8ea1ff666893462b64d997d496af8e69e905f2eeaf2ab7ec1fd565921d46.att
-sha256-e6dc8ea1ff666893462b64d997d496af8e69e905f2eeaf2ab7ec1fd565921d46.sbom
-sha256-e6dc8ea1ff666893462b64d997d496af8e69e905f2eeaf2ab7ec1fd565921d46.sig
-```
+  ```bash
+  > crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
+
+  0066d00de427d12b9a14e56f02f302031d9c40f3
+  sha256-e6dc8ea1ff666893462b64d997d496af8e69e905f2eeaf2ab7ec1fd565921d46.att
+  sha256-e6dc8ea1ff666893462b64d997d496af8e69e905f2eeaf2ab7ec1fd565921d46.sbom
+  sha256-e6dc8ea1ff666893462b64d997d496af8e69e905f2eeaf2ab7ec1fd565921d46.sig
+  ```
 
 # SLSA 2 Requirements
 
-1. Source - [Version controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled) ✅*
-2. Build - [Build service](https://slsa.dev/spec/v0.1/requirements#build-service) ✅
-3. Provenance - [Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated) ✅
-4. Provenance - [Service generated](https://slsa.dev/spec/v0.1/requirements#service-generated) ✅
+1. Source -
+   [Version controlled](https://slsa.dev/spec/v0.1/requirements#version-controlled)
+   ✅\*
+2. Build -
+   [Build service](https://slsa.dev/spec/v0.1/requirements#build-service) ✅
+3. Provenance -
+   [Authenticated](https://slsa.dev/spec/v0.1/requirements#authenticated) ✅
+4. Provenance -
+   [Service generated](https://slsa.dev/spec/v0.1/requirements#service-generated)
+   ✅
 
-SLSA 2 introduces four new requirements in addition to the requirements of SLSA 1, all of which are being met by this sample pipeline.
+SLSA 2 introduces four new requirements in addition to the requirements of SLSA
+1, all of which are being met by this sample pipeline.
 
 1. In this example, the original source code is version controlled.
 
-   * It is up to the consumer of FRSCA to ensure they are following proper source requirements.
+   - It is up to the consumer of FRSCA to ensure they are following proper
+     source requirements.
 
-1. The build is being performed within a TaskRun in a Tekton Pipelines PipelineRun.
-2. Provenance is not ony available, but it is authenticated.
+1. The build is being performed within a TaskRun in a Tekton Pipelines
+   PipelineRun.
+1. Provenance is not ony available, but it is authenticated.
 
-```other
-> cosign verify --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"                                                                                                                                                                                        
+    ```bash
+    > cosign verify --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
 
-Verification for ttl.sh/6b1d3c200c0fe4005da60bddc63873ef/example-sample:919eef3dd425318e9a65cb79b00ee323210ef070 --
-The following checks were performed on each of these signatures:
-  - The cosign claims were validated
-  - The signatures were verified against the specified public key
+    Verification for ttl.sh/6b1d3c200c0fe4005da60bddc63873ef/example-sample:919eef3dd425318e9a65cb79b00ee323210ef070 --
+    The following checks were performed on each of these signatures:
+      - The cosign claims were validated
+      - The signatures were verified against the specified public key
 
-> cosign verify-attestation --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"                                                                                                                                                      
+    > cosign verify-attestation --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
 
-Verification for ttl.sh/6b1d3c200c0fe4005da60bddc63873ef/example-sample:919eef3dd425318e9a65cb79b00ee323210ef070 --
-The following checks were performed on each of these signatures:
-  - The cosign claims were validated
-  - The signatures were verified against the specified public key
-```
+    Verification for ttl.sh/6b1d3c200c0fe4005da60bddc63873ef/example-sample:919eef3dd425318e9a65cb79b00ee323210ef070 --
+    The following checks were performed on each of these signatures:
+      - The cosign claims were validated
+      - The signatures were verified against the specified public key
+    ```
 
-4. Tekton Chains observes Tekton Pipelines TaskRuns outputting an OCI image and generates provenance directly from the data it obtains, so we're satisfying service generated requirements.
+1. Tekton Chains observes Tekton Pipelines TaskRuns outputting an OCI image and
+   generates provenance directly from the data it obtains, so we're satisfying
+   service generated requirements.
 
 # SLSA 3 Requirements
 
-1. Source - [Verified history](https://slsa.dev/spec/v0.1/requirements#verified-history) ✅*
-2. Source - [Retained indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely) (18 mo. for SLSA 3) ✅*
-3. Build - [Build as code](https://slsa.dev/spec/v0.1/requirements#build-as-code) ✅
-4. Build - [Ephemeral environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment) ✅
+1. Source -
+   [Verified history](https://slsa.dev/spec/v0.1/requirements#verified-history)
+   ✅\*
+2. Source -
+   [Retained indefinitely](https://slsa.dev/spec/v0.1/requirements#retained-indefinitely)
+   (18 mo. for SLSA 3) ✅\*
+3. Build -
+   [Build as code](https://slsa.dev/spec/v0.1/requirements#build-as-code) ✅
+4. Build -
+   [Ephemeral environment](https://slsa.dev/spec/v0.1/requirements#ephemeral-environment)
+   ✅
 5. Build - [Isolated](https://slsa.dev/spec/v0.1/requirements#isolated) ✅
-6. Provenance - [Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable) (in progress)
+6. Provenance -
+   [Non-falsifiable](https://slsa.dev/spec/v0.1/requirements#non-falsifiable)
+   (in progress)
 
-Requirements 1 & 2 are asterisked due to the lack of control the FRSCA platform has around the source code management platforms leveraged by the end user.
+Requirements 1 & 2 are asterisked due to the lack of control the FRSCA platform
+has around the source code management platforms leveraged by the end user.
 
+1. See above.
+2. See above.
 3. Every step in the end-to-end build process via Tekton is described as code.
-4. Tasks are executed within a Pod that is specifically tied to that particular TaskRun, and when the TaskRun is complete, the Pod is not reused.
-
-```other
-example-sample-pipeline-7mvgr-clone-repo-pod             0/1     Completed   0          44h
-example-sample-pipeline-7mvgr-build-and-push-image-pod   0/2     Completed   0          44h
-example-sample-pipeline-7mvgr-vulnerability-scan-pod     0/1     Completed   0          44h
-example-sample-pipeline-7mvgr-generate-bom-pod           0/2     Completed   0          44h
-example-sample-pipeline-7mvgr-deploy-to-cluster-pod      0/2     Completed   0          44h
-```
-
-5. In the same vein, the build process within a PipelineRun is completely isolated from other PipelineRuns, and TaskRuns within a PipelineRun also do not share data between each other unless explicitly defined.
-6. Non-falsifiable provenance support by means of SPIFFE/SPIRE is currently in development and awaiting approval.  See [TEP-89](https://github.com/tektoncd/community/blob/main/teps/0089-nonfalsifiable-provenance-support.md) for more information.
-
+4. Tasks are executed within a Pod that is specifically tied to that particular
+   TaskRun, and when the TaskRun is complete, the Pod is not reused.
+
+    ```bash
+    example-sample-pipeline-7mvgr-clone-repo-pod             0/1     Completed   0          44h
+    example-sample-pipeline-7mvgr-build-and-push-image-pod   0/2     Completed   0          44h
+    example-sample-pipeline-7mvgr-vulnerability-scan-pod     0/1     Completed   0          44h
+    example-sample-pipeline-7mvgr-generate-bom-pod           0/2     Completed   0          44h
+    example-sample-pipeline-7mvgr-deploy-to-cluster-pod      0/2     Completed   0          44h
+    ```
+
+5. In the same vein, the build process within a PipelineRun is completely
+   isolated from other PipelineRuns, and TaskRuns within a PipelineRun also do
+   not share data between each other unless explicitly defined.
+6. Non-falsifiable provenance support by means of SPIFFE/SPIRE is currently in
+   development and awaiting approval. See
+   [TEP-89](https://github.com/tektoncd/community/blob/main/teps/0089-nonfalsifiable-provenance-support.md)
+   for more information.