Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Start signing Atlantis containers and providing signatures/SBOMs for new releases #5157

Closed
1 task done
notdurson opened this issue Dec 12, 2024 · 1 comment · Fixed by #5158
Closed
1 task done
Labels
feature New functionality/enhancement security

Comments

@notdurson
Copy link
Contributor

notdurson commented Dec 12, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Describe the user story

As a security engineer, I want to ensure that the containers I deploy into my environment include high-quality software. That software includes dependencies of the app destined to run within a container. I'd also like to implement signature verification into my container import workflow so that I can attest to the provenance of my container ecosystem. Without assurance that the containers that I run are the same ones which were imported from upstream, I may find myself at risk in the future.

Describe the solution you'd like

I would like to implement the following:

  • New container release workflow which signs Atlantis images when they are built and provides the signatures to downstream users for verification.
  • SBOM generation workflow which produces a CycloneDX formatted bill of materials for each new image version.

Describe the drawbacks of your solution

Image attestation is hard. One needs to maintain a private key, which increases the level of trust placed in project maintainers. Project maintenance cost may be slightly increased given that the signature workflow will require additional Actions minutes.

Describe alternatives you've considered

We considered signing our own copy of Atlantis but signing containers without doing anything else is pointless. Part of the supply chain security manifesto, if you can call it that, involves attesting to the quality and safety of the software within an image - not just the provenance of the image. That doesn't just mean the software that the image is intended to run. It means that software, its dependencies, and those dependencies’ transient dependencies. Since we don't fork Atlantis we don't gain anything by signing a copy of it.

@notdurson notdurson added the feature New functionality/enhancement label Dec 12, 2024
@dosubot dosubot bot added the security label Dec 12, 2024
@notdurson
Copy link
Contributor Author

@nitrocode , @GenPage , @X-Guardian @jamengual Good $getdate to you all. I realize that this may be an inappropriate request and I hope I can ask for forgiveness rather than permission.

We, Cresta,urgently need to be able to verify the provenance of the Atlantis image, as part of an effort to harden our security posture.

#5158 addresses this by implementing signing and attestation via a GitHub action. I have verified that the signing and attestation process succeeds in my fork of Atlantis. However, I've been unable to pass the tests in the Atlantis repository due to a known issue with the attest-build-provenance workflow, wherein it will fail if invoked via a fork-originated PR.

I'd like to request your assistance in merging this change and creating a new Atlantis release before the world takes its collective break next week. I realize that the time frame here is short, and am willing to help however I can or however you need to get this PR over the line.

Thank you in advance for your assistance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New functionality/enhancement security
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant