SLSA Level 3 Compliance for Oras #1114
Comments
|
@developer-guy if you would be able to provide more details related achieving SLSA Level 3 compliance for the project and feel free to submit a PR with an implementation |
SummaryAll reports published by security companies prove that Software Supply Chain Attacks are on the rise. There is no doubt that they will continue to increase in the coming years. With this undeniable increase, securing our software supply chains is becoming more important for everyone. Protecting our software from such attacks can be quite challenging as there will be a lot of moving parts in our software delivery pipelines, but a great starting point would be to create non-falsifiable, verifiable evidence logs about the software we build, including all the details such as steps, build environment, environment variables, etc. from start to finish when we release our software. This is where Supply Chain Levels for Software Artifacts or SLSA for short comes into the picture. SLSA is a set of standards and technical controls you can adopt to improve artifact integrity and build toward completely resilient systems. It’s not a single tool, but a step-by-step outline to prevent artifacts being tampered with and tampered artifacts from being used, and at the higher levels, hardening up the platforms that make up a supply chain. Problem StatementAs Dan Lorenc said in one of his talks at Open Source Summit (which is my favorite quote from his presentation), because otherwise, we couldn't be sure that the software we were running on our platforms was the software it claimed to be. I roughly liken this approach to how it would be no different than picking up a USB Drive on the road and plugging it into our computer, as in one of my favorite scenes from Mr. Robot. User-facing descriptionThis feature can be used by users of the OpenTF project to make sure that the software they download has not been tampered with. Users can even know everything about the software, including when it was created, who released it, how it was created, etc. As I said above, this document must be verifiable, which means that you have to sign it before you store it, so that you verify that you are who you say you are. Technical DescriptionOne of the ways of generating the SLSA provenance on the GitHub Actions platform is to use SLSA GitHub Generators project which provides language-agnostic SLSA provenance generation for your releases. This project provides a bunch of trusted builders such as Generic, Container, Docker, Go, and many more. We can use the cc @sabre1041 |
|
@developer-guy thank you for providing some additional background. As you shared previously, please work through the implementation of such enhancement |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
|
This issue was closed because it has been stalled for 30 days with no activity. |
Have you ever heard the term "Trusted Builders"? We can achieve SLSA Level 3 for free by using one of the trusted builders the SLSA team provides since Kyverno's release process has already been running on the GitHub Actions platform.
We can give a hand to this one if you want, @JimBugwadia.
cc: @laurentsimon @asraa @Dentrax
References:
Reference works:
The text was updated successfully, but these errors were encountered: