Feature - Record scorecard card scans into Rekor

[naveensrinivasan]

Is your feature request related to a problem? Please describe.
The scorecard scans should attest that the scan was done to a repository state (commit SHA) or binary release. https://rekor.sigstore.dev https://github.com/sigstore/rekor

[asraa]

This would be pretty easy to do! do you mean the scorecard scans from the cron jobs?

[naveensrinivasan]

This would be pretty easy to do! do you mean the scorecard scans from the cron jobs?

As of now in the cronjobs later in the GitHub Actions because we can utilize the OIDC Provider in GitHub Actions and probably in cronjob (if not KMS)

Or should we wait for in-toto attestations #1121 (comment) before we do this?

[naveensrinivasan]

in-toto attestations for scans in-toto/attestation#58

[naveensrinivasan]

Question on storing the scorecard scans in rekor .
scorecard uses the Git SHA as the version when performing scans compared to semver for other binary releases.
Does it make sense to utilize in-toto format? If we use the in-toto format for storing scans, how can consumers search for Scorecard scans based on repository and a commit SHA?

https://sigstore.slack.com/archives/C01DGF0G8U9/p1635876627117600?thread_ts=1635628124.084900&cid=C01DGF0G8U9

We can use the existing in-toto attestations.

[azeemshaikh38]

@naveensrinivasan are you still working on this?

[github-actions]

This issue is stale because it has been open for 60 days with no activity.