Scribe Integrity helps developers authenticate open-source and proprietary source code
Scribe Security released Scribe Integrity, a code integrity validator that authenticates open-source and proprietary source code, and an integral building block of its platform solving the software supply chain security challenge.
Scribe Integrity provides developers with an added layer of visibility, allowing developers peace of mind that the code they are using is safe. Scribe is simultaneously introducing its open-source Github security project, GitGat.
In 2021, software supply chain (SSC) attacks more than tripled, with recent attacks on SolarWinds, CodeCov, and Log4Shell underscoring the growing risk of such attacks to enterprises.
DevSecOps and security teams often focus on software vulnerabilities, overlooking the risk of tampering with software in the build process. Scribe bridges this gap in a practical manner by providing a convenient work tool that automatically reports integrity validation within a trusted software bill of materials SBOM.
Scribe leverages the principle of ‘hash everything, sign everything’, utilizing open-source intelligence that it collects on open-source dependencies. In this first release, Scribe’s solution addresses the widely used Node.js and the popular npm package manager, which have recently suffered from a multitude of attacks.
Scribe’s additional release, GitGat, is a Policy-as-Code tool, utilizing Open Policy Agent (OPA), an open source project, that addresses users’ security posture. GitGat allows users to periodically run reports to gain insight into the changing security landscape of the organization. As GitGat evolves, it will cover more parts of the CI/CD toolchains.
“As software supply chains are an overlooked corner of the cyber world, they have become an increasingly attractive attack vector for hackers,” said Scribe CEO and Co-founder, Rubi Arbel. “We are excited to be introducing a developer-first, practical tool that will give DevSecOps and security practitioners the assurance they need to trust the software they build and use.”