slsa-github-generator
certificate-transparency-go
slsa-github-generator | certificate-transparency-go | |
---|---|---|
3 | 8 | |
378 | 844 | |
5.3% | 2.3% | |
9.0 | 9.5 | |
6 days ago | 6 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
slsa-github-generator
- SLSA up to v1.9.0 (latest) breaking GHA pipelines
-
UEFI Software Bill of Materials Proposal
https://github.com/slsa-framework/slsa-github-generator#gene... :
> Supply chain Levels for Software Artifacts, or SLSA (salsa), is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises.
> SLSA defines an incrementally-adoptable set of levels which are defined in terms of increasing compliance and assurance. SLSA levels are like a common language to talk about how secure software, supply chains and their component parts really are.
- slsa-github-generator: Language-agnostic SLSA provenance generation for Github Actions
certificate-transparency-go
- Show HN: Free Certificate Monitoring via RSS
-
Have governments ever been caught using a CA backdoor?
If you're talking about a certificate honored by a browser, these days they'd have to put it in a CT log, or at least obtain a "signed certificate timestamp" from a CT log: https://certificate.transparency.dev/
-
UEFI Software Bill of Materials Proposal
>This feels like this might actually be a use-case for a blockchain or a Merkle Tree.
A few years ago, this idea[0] had been explored by Google as a possible application of their Trillian[1] distributed ledger, which is based on Merkle Trees.
I don't know if they've advanced adoption of Trillian for firmware, however, the website lists Go packaging[2], Certificate Transparency [3], and SigStore[4] as current applications.
have used Trillian as the basis for their Certificate Transparency implementation.[2]
[0] https://github.com/google/trillian-examples/tree/master/bina...
[1] https://transparency.dev/
[2] https://go.googlesource.com/proposal/+/master/design/25530-s...
[3] https://certificate.transparency.dev/
[4] https://www.sigstore.dev/
-
Last Chance to Fix EIDAS (Mozilla)
You can find more about certificate monitoring and who are involved here
https://certificate.transparency.dev/
-
Last Week's Let's Encrypt Downtime
Excellent question! The sctcheck command from https://github.com/google/certificate-transparency-go/ can be used to check the signatures of embedded SCTs.
I've also got an online tool which you can use to test a site for CT policy compliance: https://sslmate.com/labs/ct_policy_analyzer/
Example of a working site: https://sslmate.com/labs/ct_policy_analyzer/?sslmate.com
Example of one of the sites affected by the Let's Encrypt incident: https://sslmate.com/labs/ct_policy_analyzer/?thecandyshake.c...
-
Golang is evil on shitty networks
The x509 package has unfortunately burned me several times, this one included. It is too anal about non-fatal errors, that Google themselves forked it (and asn1) to improve usability.
https://github.com/google/certificate-transparency-go
-
Parsing Certificate Transparency end in X509Cert is nil
ogClient, err := client.New( l.URI, &http.Client{ Timeout: 10 * time.Second, Transport: &http.Transport{ TLSHandshakeTimeout: 30 * time.Second, ResponseHeaderTimeout: 30 * time.Second, MaxIdleConnsPerHost: 10, DisableKeepAlives: false, MaxIdleConns: 100, IdleConnTimeout: 90 * time.Second, ExpectContinueTimeout: 1 * time.Second, }, }, jsonclient.Options{UserAgent: "ct-go-scanlog/1.0"}, ) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to create new client: %s\n", l.Name, err) return } sth, err := logClient.GetSTH(context.TODO()) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to get SignedTreeHead: %s\n", l.Name, err) return } fmt.Printf("%s -> Number of logs: %d\n", l.Name, sth.TreeSize) index := uint64(0) // Logs MAY return fewer than the number of leaves requested. Only complete // if we actually got all the leaves we were expecting. // See more: https://github.com/google/certificate-transparency-go/blob/52d94d8cbab94d6698621839ab1a439d17ebbfb2/scanner/fetcher.go#L263 for index <= sth.TreeSize { fmt.Printf("%s -> New fetch start with index %d-%d\n", l.Name, index, index+100) entries, err := logClient.GetRawEntries(context.TODO(), int64(index), int64(index)+100) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to get raw entries: %s\n", l.Name, err) return } if entries == nil { fmt.Fprintf(os.Stderr, "%s -> entries is nil", l.Name) return } if DEBUG { fmt.Printf("%s -> Got %d leaf entry\n", l.Name, len(entries.Entries)) } for i := range entries.Entries { rawLogE, err := ct.RawLogEntryFromLeaf(int64(index), &entries.Entries[i]) if err != nil { fmt.Fprintf(os.Stderr, "%s -> Failed to parse leaf to raw entry at index %d: %s\n", l.Name, index, err) index++ continue } logE, err := rawLogE.ToLogEntry() if err != nil { fmt.Printf("%s -> Failed to convert raw log to log at index %d: %s\n", l.Name, index, err) index++ continue } /* * This check is true most of the time. */ if logE.X509Cert == nil { fmt.Printf("%s -> Failed to read log cert at index %d: X509Cert is nil\n", l.Name, index) index++ continue } if DEBUG { fmt.Printf("%s -> Leaf entry at %d is parsed successfuly!\n", l.Name, index) } entryChan <- *logE index++ } }
-
Google's Certificate Transparency Search page to be discontinued May 15th, 2022
Yes, you can use the certificate-transparency go code to pull down from the trillian API https://github.com/google/certificate-transparency-go/blob/m...
You would need to know the index, or you could just iterate over a range
What are some alternatives?
Open-Source-Security-Guide - Open Source Security Guide. Learn all about Security Standards (FIPS, CIS, FedRAMP, FISMA, etc.), Frameworks, Threat Models, Encryption, and Benchmarks.
osv.dev - Open source vulnerability DB and triage service.
slsa-provenance-action - Github Action implementation of SLSA Provenance Generation
trillian-examples - A place to store some examples which use Trillian APIs to build things.
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
libnodelay - A small wrapper library that adds the TCP_NODELAY option for all sockets.
appvm - Nix-based app VMs
certspotter - Certificate Transparency Log Monitor
vuls - Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
plan9port - Plan 9 from User Space
gitleaks - Protect and discover secrets using Gitleaks 🔑
GhidraChatGPT - Brings the power of ChatGPT to Ghidra!