Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add pages for Supply Chain Security Tools Mappings #1319

Merged
merged 8 commits into from
Aug 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ci/spelling-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@
"frontmatter",
"Gamal",
"gconv",
"gitsign",
"gittuf",
"GUAC",
"helm",
"HIPAA",
Expand Down
11 changes: 11 additions & 0 deletions publications/supply-chain-security-tools/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Supply Chain Security Tools Mappings

{{% blocks/lead color="white" align="left" %}}
Find out what tools are used to secure the supply chain. Explore the general requirement categories below.
{{% /blocks/lead %}}

1. [Securing the Source Code](securing-source-code.md)
2. [Securing Materials](securing-materials.md)
3. [Securing Build Pipelines](securing-build-pipelines.md)
4. [Securing Artifacts](securing-artifacts.md)
5. [Securing Deployments](securing-deployments.md)
108 changes: 108 additions & 0 deletions publications/supply-chain-security-tools/securing-artifacts.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Securing Artifacts

{{% blocks/lead color="white" align="left" %}}
Here are the list of requirements for securing artifacts. Each one has a list of tools used to achieve it.
{{% /blocks/lead %}}

## 1. Sign Every Step in the Build Process

### Tool capability

- sign attestations for every step in the build process
- define all expected steps in the build process with identities

### Tools

- SLSA (level 1)
- in-toto
- Tekton (chains)

## 2. Validate the Signatures Generated at Each Step

### Tool capability

- verify attestations of every step

### Tools

- in-toto
- Kyverno (signatures of output images are verified before running containers)

## 3. Use TUF/Notary to manage signing of artefacts

### Tool capability

- delegate trust for specific artifacts to specific developers
- enable developer signing of metadata
- prevent rollback attacks on developer signatures

### Tools

- TUF
- Tekton (chains uses Sigstore)
- Kyverno (Kyverno supports Sigstore)

## 4. Use a store to manage metadata from in-toto

### Tool capability

- store in-toto metadata

### Tools

- Sigstore (Rekor?)
- in-toto (integrated with Rekor, Grafeas, Archivist etc.)
- Tekton (chains)


## 5. Limit which artefacts any given party is authorized to certify

### Tool capability

- specify trusted entities for each artifact in policy
- enforce this limitation

### Tools

- in-toto
- TUF
- Kyverno (Kyverno policy on who is trusted for each signature)


## 6. Build in a system for rotating and revoking private keys

### Tool capability

- change policy to revoke a trusted key
- change policy to rotate a trusted key
- communicate these changes to users

### Tools

- Sigstore (Fulcio)
- in-toto (in-toto layouts can rotate and revoke keys for attestations, layout keys are managed separately such as by using TUF)
- TUF
- SPIFFE

## 7. Use a container registry that supports OCI image-spec images

### Tool capability

- follow the OCI spec

### Tools

- Sigstore (cosign)
- Tekton (Pipelines and Chains)
- Kyverno (Kyverno works with OCI registries)

## 8. Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities

### Tool capability

- create policy for which platforms have decryption capabilities
- enforce this policy

### Tools

- _none_
Loading
Loading