-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add pages for Supply Chain Security Tools Mappings (#1319)
* Don't store search increments in the browser history Signed-off-by: Chris Abraham <[email protected]> * Add pages for Supply Chain Security Tools Mappings Signed-off-by: Chris Abraham <[email protected]> * update copy Signed-off-by: Chris Abraham <[email protected]> * fix lint and spelling Signed-off-by: Chris Abraham <[email protected]> * Reformat requirements sections Signed-off-by: Chris Abraham <[email protected]> * Fill out requirements Signed-off-by: Chris Abraham <[email protected]> --------- Signed-off-by: Chris Abraham <[email protected]>
- Loading branch information
1 parent
282719f
commit b3c06f1
Showing
8 changed files
with
701 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -60,6 +60,8 @@ | |
"frontmatter", | ||
"Gamal", | ||
"gconv", | ||
"gitsign", | ||
"gittuf", | ||
"GUAC", | ||
"helm", | ||
"HIPAA", | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Supply Chain Security Tools Mappings | ||
|
||
{{% blocks/lead color="white" align="left" %}} | ||
Find out what tools are used to secure the supply chain. Explore the general requirement categories below. | ||
{{% /blocks/lead %}} | ||
|
||
1. [Securing the Source Code](securing-source-code.md) | ||
2. [Securing Materials](securing-materials.md) | ||
3. [Securing Build Pipelines](securing-build-pipelines.md) | ||
4. [Securing Artifacts](securing-artifacts.md) | ||
5. [Securing Deployments](securing-deployments.md) |
108 changes: 108 additions & 0 deletions
108
publications/supply-chain-security-tools/securing-artifacts.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
# Securing Artifacts | ||
|
||
{{% blocks/lead color="white" align="left" %}} | ||
Here are the list of requirements for securing artifacts. Each one has a list of tools used to achieve it. | ||
{{% /blocks/lead %}} | ||
|
||
## 1. Sign Every Step in the Build Process | ||
|
||
### Tool capability | ||
|
||
- sign attestations for every step in the build process | ||
- define all expected steps in the build process with identities | ||
|
||
### Tools | ||
|
||
- SLSA (level 1) | ||
- in-toto | ||
- Tekton (chains) | ||
|
||
## 2. Validate the Signatures Generated at Each Step | ||
|
||
### Tool capability | ||
|
||
- verify attestations of every step | ||
|
||
### Tools | ||
|
||
- in-toto | ||
- Kyverno (signatures of output images are verified before running containers) | ||
|
||
## 3. Use TUF/Notary to manage signing of artefacts | ||
|
||
### Tool capability | ||
|
||
- delegate trust for specific artifacts to specific developers | ||
- enable developer signing of metadata | ||
- prevent rollback attacks on developer signatures | ||
|
||
### Tools | ||
|
||
- TUF | ||
- Tekton (chains uses Sigstore) | ||
- Kyverno (Kyverno supports Sigstore) | ||
|
||
## 4. Use a store to manage metadata from in-toto | ||
|
||
### Tool capability | ||
|
||
- store in-toto metadata | ||
|
||
### Tools | ||
|
||
- Sigstore (Rekor?) | ||
- in-toto (integrated with Rekor, Grafeas, Archivist etc.) | ||
- Tekton (chains) | ||
|
||
|
||
## 5. Limit which artefacts any given party is authorized to certify | ||
|
||
### Tool capability | ||
|
||
- specify trusted entities for each artifact in policy | ||
- enforce this limitation | ||
|
||
### Tools | ||
|
||
- in-toto | ||
- TUF | ||
- Kyverno (Kyverno policy on who is trusted for each signature) | ||
|
||
|
||
## 6. Build in a system for rotating and revoking private keys | ||
|
||
### Tool capability | ||
|
||
- change policy to revoke a trusted key | ||
- change policy to rotate a trusted key | ||
- communicate these changes to users | ||
|
||
### Tools | ||
|
||
- Sigstore (Fulcio) | ||
- in-toto (in-toto layouts can rotate and revoke keys for attestations, layout keys are managed separately such as by using TUF) | ||
- TUF | ||
- SPIFFE | ||
|
||
## 7. Use a container registry that supports OCI image-spec images | ||
|
||
### Tool capability | ||
|
||
- follow the OCI spec | ||
|
||
### Tools | ||
|
||
- Sigstore (cosign) | ||
- Tekton (Pipelines and Chains) | ||
- Kyverno (Kyverno works with OCI registries) | ||
|
||
## 8. Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities | ||
|
||
### Tool capability | ||
|
||
- create policy for which platforms have decryption capabilities | ||
- enforce this policy | ||
|
||
### Tools | ||
|
||
- _none_ |
Oops, something went wrong.