What is Scribe?
Scribe is a platform designed to ensure the security of software supply chains. It's aimed at aiding software production teams like DevSecOps, AppSec, and development teams within either software vendor or SaaS organizations, as well as software consumers like buyers, compliance officers, and security operators. Scribe assists these users in generating the necessary evidence and policies for managing risk within their supply chains.
Through the use of Scribe, you can assure the security of your product, manage Software Bills of Materials (SBOMs), and adhere to various regulations and standards. These include the NIST's Secure Software Development Framework (SSDF) and the Supply-chain Levels for Software Artifacts (SLSA) standards. In simpler terms, Scribe helps you prove your software is safe, keep track of all the parts used in your software, and follow important rules about software safety.
Scribe continuously gathers and examines evidence from the software development and build processes to confirm that the software was built securely. This includes validating code integrity, ensuring code reviews before building, performing security tests, verifying that only approved dependencies are used, and validating that commits are made exclusively by authorized developers.
Essentially, Scribe acts as a hub where software producers and consumers can exchange this evidence, attesting to the safety of their software products. Both producers and consumers can manage their risk by applying Scribe's policies to the collected evidence. This means that Scribe helps in setting and enforcing rules about what kind of evidence is needed to show that the software is safe.