Fill out requirements

Signed-off-by: Chris Abraham <[email protected]>
cncf · Aug 5, 2024 · 25e212c · 25e212c
1 parent ad5123e
commit 25e212c
Show file tree

Hide file tree

Showing 5 changed files with 576 additions and 63 deletions.
diff --git a/publications/supply-chain-security-tools/securing-artifacts.md b/publications/supply-chain-security-tools/securing-artifacts.md
@@ -1,31 +1,108 @@
 # Securing Artifacts
 
 {{% blocks/lead color="white" align="left" %}}
-Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it.
+Here are the list of requirements for securing artifacts. Each one has a list of tools used to achieve it.
 {{% /blocks/lead %}}
 
-## 1. Require signed commits
+## 1. Sign Every Step in the Build Process
 
-## 2. Enforce full attestation and verification for protected branches
+### Tool capability
 
-## 3. Prevent committing secrets to the source code repository
+- sign attestations for every step in the build process
+- define all expected steps in the build process with identities
 
-## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions
+### Tools
 
-## 5. Automate software security scanning and testing
+- SLSA (level 1)
+- in-toto
+- Tekton (chains)
 
-## 6. Establish and adhere to contribution policies
+## 2. Validate the Signatures Generated at Each Step
 
-## 7. Define roles aligned to functional responsibilities
+### Tool capability
 
-## 8. Enforce an independent four-eyes principle
+- verify attestations of every step
 
-## 9. Use branch protection rules
+### Tools
 
-## 10. Enforce MFA for accessing source code repositories
+- in-toto
+- Kyverno (signatures of output images are verified before running containers)
 
-## 11. Use SSH keys to provide developers access to source code repositories
+## 3. Use TUF/Notary to manage signing of artefacts
 
-## 12. Have a Key Rotation Policy
+### Tool capability
 
-## 13. Use short-lived/ephemeral credentials for machine/service access
+- delegate trust for specific artifacts to specific developers
+- enable developer signing of metadata
+- prevent rollback attacks on developer signatures
+
+### Tools
+
+- TUF
+- Tekton (chains uses Sigstore)
+- Kyverno (Kyverno supports Sigstore)
+
+## 4. Use a store to manage metadata from in-toto
+
+### Tool capability
+
+- store in-toto metadata
+
+### Tools
+
+- Sigstore (Rekor?)
+- in-toto (integrated with Rekor, Grafeas, Archivist etc.)
+- Tekton (chains)
+
+
+## 5. Limit which artefacts any given party is authorized to certify
+
+### Tool capability
+
+- specify trusted entities for each artifact in policy
+- enforce this limitation
+
+### Tools
+
+- in-toto
+- TUF
+- Kyverno (Kyverno policy on who is trusted for each signature)
+
+
+## 6. Build in a system for rotating and revoking private keys
+
+### Tool capability
+
+- change policy to revoke a trusted key
+- change policy to rotate a trusted key
+- communicate these changes to users
+
+### Tools
+
+- Sigstore (Fulcio)
+- in-toto (in-toto layouts can rotate and revoke keys for attestations, layout keys are managed separately such as by using TUF)
+- TUF
+- SPIFFE
+
+## 7. Use a container registry that supports OCI image-spec images
+
+### Tool capability
+
+- follow the OCI spec
+
+### Tools
+
+- Sigstore (cosign)
+- Tekton (Pipelines and Chains)
+- Kyverno (Kyverno works with OCI registries)
+
+## 8. Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities
+
+### Tool capability
+
+- create policy for which platforms have decryption capabilities
+- enforce this policy
+
+### Tools
+
+- _none_