From 4fe636a0ac21d2fbf48d7f03284c57ebd12100a9 Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Fri, 12 Jul 2024 09:42:42 +0700 Subject: [PATCH 1/6] Don't store search increments in the browser history Signed-off-by: Chris Abraham --- website/layouts/_default/search.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/layouts/_default/search.html b/website/layouts/_default/search.html index bbd1ecf8a..c778147c4 100644 --- a/website/layouts/_default/search.html +++ b/website/layouts/_default/search.html @@ -55,7 +55,7 @@

{{ .Title }}

var newUrl = baseUrl + "?" + urlParams.toString(); // Update the browser history (optional) - window.history.pushState({}, null, newUrl); + history.replaceState(null, '', newUrl); } From cdc7259cb2edd864fdca1ad3732aca1b347ec50a Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Sun, 14 Jul 2024 15:26:39 +0700 Subject: [PATCH 2/6] Add pages for Supply Chain Security Tools Mappings Signed-off-by: Chris Abraham --- .../supply-chain-security-tools/README.md | 11 +++++ .../securing-aretfacts.md | 46 +++++++++++++++++++ .../securing-build-pipelines.md | 46 +++++++++++++++++++ .../securing-deployments.md | 46 +++++++++++++++++++ .../securing-materials.md | 46 +++++++++++++++++++ .../securing-source-code.md | 46 +++++++++++++++++++ 6 files changed, 241 insertions(+) create mode 100644 publications/supply-chain-security-tools/README.md create mode 100644 publications/supply-chain-security-tools/securing-aretfacts.md create mode 100644 publications/supply-chain-security-tools/securing-build-pipelines.md create mode 100644 publications/supply-chain-security-tools/securing-deployments.md create mode 100644 publications/supply-chain-security-tools/securing-materials.md create mode 100644 publications/supply-chain-security-tools/securing-source-code.md diff --git a/publications/supply-chain-security-tools/README.md b/publications/supply-chain-security-tools/README.md new file mode 100644 index 000000000..4f924a61d --- /dev/null +++ b/publications/supply-chain-security-tools/README.md @@ -0,0 +1,11 @@ +# Supply Chain Security Tools Mappings + +{{% blocks/lead color="white" align="left" %}} +Find out what tools are used to secure the supply chain. Explore the general requirement categories below. +{{% /blocks/lead %}} + +1. [Securing the Source Code](securing-source-code.md) +2. [Securing Materials](securing-materials.md) +3. [Securing Build Pipelines](securing-build-pipelines.md) +4. [Securing Artefacts](securing-aretfacts.md) +5. [Securing Deployments](securing-deployments.md) diff --git a/publications/supply-chain-security-tools/securing-aretfacts.md b/publications/supply-chain-security-tools/securing-aretfacts.md new file mode 100644 index 000000000..01ffc73e2 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-aretfacts.md @@ -0,0 +1,46 @@ +# Securing Artefacts + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Require signed commits + +Tool capability: sign commits, verify signed commits + +#### Tools +- Sigstore (gitsign) +- gittuf +- GUAC + + +## 2. Enforce full attestation and verification for protected branches + +Tool capability: monitor protected branches + +#### Tools +- gittuf + + +## 3. Prevent committing secrets to the source code repository + +## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions + +## 5. Automate software security scanning and testing + +## 6. Establish and adhere to contribution policies + +## 7. Define roles aligned to functional responsibilities + +## 8. Enforce an independent four-eyes principle + +## 9. Use branch protection rules + +## 10. Enforce MFA for accessing source code repositories + +## 11. Use SSH keys to provide developers access to source code repositories + +## 12. Have a Key Rotation Policy + +## 13. Use short-lived/ephemeral credentials for machine/service access + diff --git a/publications/supply-chain-security-tools/securing-build-pipelines.md b/publications/supply-chain-security-tools/securing-build-pipelines.md new file mode 100644 index 000000000..f9b8b26ed --- /dev/null +++ b/publications/supply-chain-security-tools/securing-build-pipelines.md @@ -0,0 +1,46 @@ +# Securing Build Pipelines + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Require signed commits + +Tool capability: sign commits, verify signed commits + +#### Tools +- Sigstore (gitsign) +- gittuf +- GUAC + + +## 2. Enforce full attestation and verification for protected branches + +Tool capability: monitor protected branches + +#### Tools +- gittuf + + +## 3. Prevent committing secrets to the source code repository + +## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions + +## 5. Automate software security scanning and testing + +## 6. Establish and adhere to contribution policies + +## 7. Define roles aligned to functional responsibilities + +## 8. Enforce an independent four-eyes principle + +## 9. Use branch protection rules + +## 10. Enforce MFA for accessing source code repositories + +## 11. Use SSH keys to provide developers access to source code repositories + +## 12. Have a Key Rotation Policy + +## 13. Use short-lived/ephemeral credentials for machine/service access + diff --git a/publications/supply-chain-security-tools/securing-deployments.md b/publications/supply-chain-security-tools/securing-deployments.md new file mode 100644 index 000000000..872e635a7 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-deployments.md @@ -0,0 +1,46 @@ +# Securing Deployments + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Require signed commits + +Tool capability: sign commits, verify signed commits + +#### Tools +- Sigstore (gitsign) +- gittuf +- GUAC + + +## 2. Enforce full attestation and verification for protected branches + +Tool capability: monitor protected branches + +#### Tools +- gittuf + + +## 3. Prevent committing secrets to the source code repository + +## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions + +## 5. Automate software security scanning and testing + +## 6. Establish and adhere to contribution policies + +## 7. Define roles aligned to functional responsibilities + +## 8. Enforce an independent four-eyes principle + +## 9. Use branch protection rules + +## 10. Enforce MFA for accessing source code repositories + +## 11. Use SSH keys to provide developers access to source code repositories + +## 12. Have a Key Rotation Policy + +## 13. Use short-lived/ephemeral credentials for machine/service access + diff --git a/publications/supply-chain-security-tools/securing-materials.md b/publications/supply-chain-security-tools/securing-materials.md new file mode 100644 index 000000000..56438b85d --- /dev/null +++ b/publications/supply-chain-security-tools/securing-materials.md @@ -0,0 +1,46 @@ +# Securing Materials + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +{{% /blocks/lead %}} + +## 1. Require signed commits + +Tool capability: sign commits, verify signed commits + +#### Tools +- Sigstore (gitsign) +- gittuf +- GUAC + + +## 2. Enforce full attestation and verification for protected branches + +Tool capability: monitor protected branches + +#### Tools +- gittuf + + +## 3. Prevent committing secrets to the source code repository + +## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions + +## 5. Automate software security scanning and testing + +## 6. Establish and adhere to contribution policies + +## 7. Define roles aligned to functional responsibilities + +## 8. Enforce an independent four-eyes principle + +## 9. Use branch protection rules + +## 10. Enforce MFA for accessing source code repositories + +## 11. Use SSH keys to provide developers access to source code repositories + +## 12. Have a Key Rotation Policy + +## 13. Use short-lived/ephemeral credentials for machine/service access + diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md new file mode 100644 index 000000000..1b625f339 --- /dev/null +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -0,0 +1,46 @@ +# Securing the Source Code + +{{% blocks/lead color="white" align="left" %}} +Here are the list of requirements for securing the source code, which is a subcategory of the overall requirements for supply chain security. +{{% /blocks/lead %}} + +## 1. Require signed commits + +Tool capability: sign commits, verify signed commits + +#### Tools +- Sigstore (gitsign) +- gittuf +- GUAC + + +## 2. Enforce full attestation and verification for protected branches + +Tool capability: monitor protected branches + +#### Tools +- gittuf + + +## 3. Prevent committing secrets to the source code repository + +## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions + +## 5. Automate software security scanning and testing + +## 6. Establish and adhere to contribution policies + +## 7. Define roles aligned to functional responsibilities + +## 8. Enforce an independent four-eyes principle + +## 9. Use branch protection rules + +## 10. Enforce MFA for accessing source code repositories + +## 11. Use SSH keys to provide developers access to source code repositories + +## 12. Have a Key Rotation Policy + +## 13. Use short-lived/ephemeral credentials for machine/service access + From f1e36a7f9f03cba2a29930800bdbf551abf6e7b2 Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Sun, 14 Jul 2024 15:40:46 +0700 Subject: [PATCH 3/6] update copy Signed-off-by: Chris Abraham --- .../supply-chain-security-tools/securing-source-code.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md index 1b625f339..bc907411e 100644 --- a/publications/supply-chain-security-tools/securing-source-code.md +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -1,7 +1,7 @@ # Securing the Source Code {{% blocks/lead color="white" align="left" %}} -Here are the list of requirements for securing the source code, which is a subcategory of the overall requirements for supply chain security. +Here are the list of requirements for securing the source code, which is a subcategory of the overall requirements for supply chain security. For each requirement is a list of tools used to meet that requirement. {{% /blocks/lead %}} ## 1. Require signed commits From 557577b45f641c029fb7bdd2d40e2dfb225b362b Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Mon, 15 Jul 2024 14:56:03 +0700 Subject: [PATCH 4/6] fix lint and spelling Signed-off-by: Chris Abraham --- ci/spelling-config.json | 2 ++ .../supply-chain-security-tools/README.md | 2 +- ...uring-aretfacts.md => securing-artifacts.md} | 17 +---------------- .../securing-build-pipelines.md | 15 --------------- .../securing-deployments.md | 15 --------------- .../securing-materials.md | 15 --------------- .../securing-source-code.md | 9 ++++----- 7 files changed, 8 insertions(+), 67 deletions(-) rename publications/supply-chain-security-tools/{securing-aretfacts.md => securing-artifacts.md} (83%) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index eabc7a458..2d2989db1 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -60,6 +60,8 @@ "frontmatter", "Gamal", "gconv", + "gitsign", + "gittuf", "GUAC", "helm", "HIPAA", diff --git a/publications/supply-chain-security-tools/README.md b/publications/supply-chain-security-tools/README.md index 4f924a61d..1d80eade9 100644 --- a/publications/supply-chain-security-tools/README.md +++ b/publications/supply-chain-security-tools/README.md @@ -7,5 +7,5 @@ Find out what tools are used to secure the supply chain. Explore the general req 1. [Securing the Source Code](securing-source-code.md) 2. [Securing Materials](securing-materials.md) 3. [Securing Build Pipelines](securing-build-pipelines.md) -4. [Securing Artefacts](securing-aretfacts.md) +4. [Securing Artifacts](securing-artifacts.md) 5. [Securing Deployments](securing-deployments.md) diff --git a/publications/supply-chain-security-tools/securing-aretfacts.md b/publications/supply-chain-security-tools/securing-artifacts.md similarity index 83% rename from publications/supply-chain-security-tools/securing-aretfacts.md rename to publications/supply-chain-security-tools/securing-artifacts.md index 01ffc73e2..67d060be0 100644 --- a/publications/supply-chain-security-tools/securing-aretfacts.md +++ b/publications/supply-chain-security-tools/securing-artifacts.md @@ -1,4 +1,4 @@ -# Securing Artefacts +# Securing Artifacts {{% blocks/lead color="white" align="left" %}} Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-build-pipelines.md b/publications/supply-chain-security-tools/securing-build-pipelines.md index f9b8b26ed..6d55af569 100644 --- a/publications/supply-chain-security-tools/securing-build-pipelines.md +++ b/publications/supply-chain-security-tools/securing-build-pipelines.md @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-deployments.md b/publications/supply-chain-security-tools/securing-deployments.md index 872e635a7..13d85f9d5 100644 --- a/publications/supply-chain-security-tools/securing-deployments.md +++ b/publications/supply-chain-security-tools/securing-deployments.md @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-materials.md b/publications/supply-chain-security-tools/securing-materials.md index 56438b85d..6e6e1025d 100644 --- a/publications/supply-chain-security-tools/securing-materials.md +++ b/publications/supply-chain-security-tools/securing-materials.md @@ -6,22 +6,8 @@ Here are the list of requirements for securing the source code. Each one has a l ## 1. Require signed commits -Tool capability: sign commits, verify signed commits - -#### Tools -- Sigstore (gitsign) -- gittuf -- GUAC - - ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches - -#### Tools -- gittuf - - ## 3. Prevent committing secrets to the source code repository ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions @@ -43,4 +29,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md index bc907411e..ebe130d92 100644 --- a/publications/supply-chain-security-tools/securing-source-code.md +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -8,19 +8,19 @@ Here are the list of requirements for securing the source code, which is a subca Tool capability: sign commits, verify signed commits -#### Tools +### Tools + - Sigstore (gitsign) - gittuf - GUAC - ## 2. Enforce full attestation and verification for protected branches Tool capability: monitor protected branches -#### Tools -- gittuf +### Tools +- gittuf ## 3. Prevent committing secrets to the source code repository @@ -43,4 +43,3 @@ Tool capability: monitor protected branches ## 12. Have a Key Rotation Policy ## 13. Use short-lived/ephemeral credentials for machine/service access - From ad5123e9f6531251f9015bc744bb857ae57deb6b Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Mon, 15 Jul 2024 17:08:09 +0700 Subject: [PATCH 5/6] Reformat requirements sections Signed-off-by: Chris Abraham --- .../securing-source-code.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md index ebe130d92..1441f6b08 100644 --- a/publications/supply-chain-security-tools/securing-source-code.md +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -6,9 +6,12 @@ Here are the list of requirements for securing the source code, which is a subca ## 1. Require signed commits -Tool capability: sign commits, verify signed commits +
Tool capability
-### Tools +- Sign commits +- Verify signed commits + +
Tools
- Sigstore (gitsign) - gittuf @@ -16,9 +19,11 @@ Tool capability: sign commits, verify signed commits ## 2. Enforce full attestation and verification for protected branches -Tool capability: monitor protected branches +
Tool capability
+ +- Monitor protected branches -### Tools +
Tools
- gittuf From 25e212c161b8afd6f32e24f8dfd45ce973423c3b Mon Sep 17 00:00:00 2001 From: Chris Abraham Date: Mon, 5 Aug 2024 17:38:38 +0700 Subject: [PATCH 6/6] Fill out requirements Signed-off-by: Chris Abraham --- .../securing-artifacts.md | 105 ++++++- .../securing-build-pipelines.md | 269 +++++++++++++++++- .../securing-deployments.md | 39 ++- .../securing-materials.md | 106 ++++++- .../securing-source-code.md | 120 +++++++- 5 files changed, 576 insertions(+), 63 deletions(-) diff --git a/publications/supply-chain-security-tools/securing-artifacts.md b/publications/supply-chain-security-tools/securing-artifacts.md index 67d060be0..91bbdbf33 100644 --- a/publications/supply-chain-security-tools/securing-artifacts.md +++ b/publications/supply-chain-security-tools/securing-artifacts.md @@ -1,31 +1,108 @@ # Securing Artifacts {{% blocks/lead color="white" align="left" %}} -Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +Here are the list of requirements for securing artifacts. Each one has a list of tools used to achieve it. {{% /blocks/lead %}} -## 1. Require signed commits +## 1. Sign Every Step in the Build Process -## 2. Enforce full attestation and verification for protected branches +### Tool capability -## 3. Prevent committing secrets to the source code repository +- sign attestations for every step in the build process +- define all expected steps in the build process with identities -## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions +### Tools -## 5. Automate software security scanning and testing +- SLSA (level 1) +- in-toto +- Tekton (chains) -## 6. Establish and adhere to contribution policies +## 2. Validate the Signatures Generated at Each Step -## 7. Define roles aligned to functional responsibilities +### Tool capability -## 8. Enforce an independent four-eyes principle +- verify attestations of every step -## 9. Use branch protection rules +### Tools -## 10. Enforce MFA for accessing source code repositories +- in-toto +- Kyverno (signatures of output images are verified before running containers) -## 11. Use SSH keys to provide developers access to source code repositories +## 3. Use TUF/Notary to manage signing of artefacts -## 12. Have a Key Rotation Policy +### Tool capability -## 13. Use short-lived/ephemeral credentials for machine/service access +- delegate trust for specific artifacts to specific developers +- enable developer signing of metadata +- prevent rollback attacks on developer signatures + +### Tools + +- TUF +- Tekton (chains uses Sigstore) +- Kyverno (Kyverno supports Sigstore) + +## 4. Use a store to manage metadata from in-toto + +### Tool capability + +- store in-toto metadata + +### Tools + +- Sigstore (Rekor?) +- in-toto (integrated with Rekor, Grafeas, Archivist etc.) +- Tekton (chains) + + +## 5. Limit which artefacts any given party is authorized to certify + +### Tool capability + +- specify trusted entities for each artifact in policy +- enforce this limitation + +### Tools + +- in-toto +- TUF +- Kyverno (Kyverno policy on who is trusted for each signature) + + +## 6. Build in a system for rotating and revoking private keys + +### Tool capability + +- change policy to revoke a trusted key +- change policy to rotate a trusted key +- communicate these changes to users + +### Tools + +- Sigstore (Fulcio) +- in-toto (in-toto layouts can rotate and revoke keys for attestations, layout keys are managed separately such as by using TUF) +- TUF +- SPIFFE + +## 7. Use a container registry that supports OCI image-spec images + +### Tool capability + +- follow the OCI spec + +### Tools + +- Sigstore (cosign) +- Tekton (Pipelines and Chains) +- Kyverno (Kyverno works with OCI registries) + +## 8. Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities + +### Tool capability + +- create policy for which platforms have decryption capabilities +- enforce this policy + +### Tools + +- _none_ diff --git a/publications/supply-chain-security-tools/securing-build-pipelines.md b/publications/supply-chain-security-tools/securing-build-pipelines.md index 6d55af569..760f9ed05 100644 --- a/publications/supply-chain-security-tools/securing-build-pipelines.md +++ b/publications/supply-chain-security-tools/securing-build-pipelines.md @@ -1,31 +1,272 @@ # Securing Build Pipelines {{% blocks/lead color="white" align="left" %}} -Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +Here are the list of requirements for securing build pipelines. Each one has a list of tools used to achieve it. {{% /blocks/lead %}} -## 1. Require signed commits +## 1. Cryptographically guarantee policy adherence -## 2. Enforce full attestation and verification for protected branches +### Tool capability -## 3. Prevent committing secrets to the source code repository +- attest to steps +- verify policy adherence +- define the policy -## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions +### Tools -## 5. Automate software security scanning and testing +- SLSA (level 1) +- in-toto -## 6. Establish and adhere to contribution policies -## 7. Define roles aligned to functional responsibilities +## 2. Validate environments and dependencies before usage -## 8. Enforce an independent four-eyes principle +### Tool capability -## 9. Use branch protection rules +- validate dependencies +- validate environments +- verify signatures on build images -## 10. Enforce MFA for accessing source code repositories +### Tools -## 11. Use SSH keys to provide developers access to source code repositories +- in-toto (in-toto can wrap the fetch / bootstrap processes and metadata can be consumed by upper-turtle processes via sublayouts) +- SPIFFE (validates environments) +- Tekton (there is an open TEP to integrate with SPIFFE to validate node/workload) +- Kyverno (If the environment is a container, Kyverno can verify the policy (allowed source, signer)) -## 12. Have a Key Rotation Policy +## 3. Validate runtime security of build workers -## 13. Use short-lived/ephemeral credentials for machine/service access +### Tool capability + +- monitor runtime processes +- attest to runtime operations +- verify runtime attestations +- trusted execution environment + +### Tools + +- in-toto (runtime trace attestations) + +## 4. Validate Build artifacts through verifiably reproducible builds + +### Tool capability + +- make reproducible build +- re-build images in isolated environments (security enclaves/trust boundaries) +- validate builds from multiple sources + +### Tools + +- in-toto +- apko + +## 5. Lock and Verify External Requirements From The Build Process + +### Tool capability + +- lock and record external requirements +- verify external requirements + +### Tools + +- apko + +## 6. Find and Eliminate Sources Of Non-Determinism + +### Tool capability + +- make diffs of builds + +### Tools + +- apko + +## 7. Record The Build Environment + +### Tool capability + +- record the build environment + +### Tools + +- SLSA (level 3) +- in-toto (in-toto provides the formats, it's unopinionated about what's recorded) +- apko +- Tekton (Chains) + +## 8. Automate Creation Of The Build Environment + +### Tool capability + +- environment creation automation + +### Tools + +- apko +- Tekton (Pipelines) + +## 9. Distribute Builds Across Different Infrastructure + +### Tool capability + +- define multiple infrastructure setups +- run builds in multiple environments + +### Tools + +- Tekton (Pipelines) + +## 10. Build and related continuous integration/continuous delivery steps should all be automated through a pipeline defined as code + +### Tool capability + +- define pipeline in code +- run pipeline as code + +### Tools + +- SLSA (level 1) +- apko +- Tekton (Pipelines) + +## 11. Standardize pipelines across projects + +### Tool capability + +- _none_ + +### Tools + +- Tekton (Pipelines) + +## 12. Provision a secured orchestration platform to host software factory + +### Tool capability + +- perform secure orchestration + +### Tools + +- Tekton (Pipelines) + +## 13. Build Workers Should be Single Use + +### Tool capability + +- single-use containerized builders +- verify that builders are single use +- attest to build identity + +### Tools + +- SLSA (level 3) +- in-toto (can be validated via runtime trace attestations) +- Tekton (Pipelines) + +## 14. Ensure Software Factory has minimal network connectivity. + +### Tool capability + +- check for and monitor network connections + +### Tools + +- SLSA (level 3) +- in-toto (can be validated via runtime trace attestations) + +## 15. Segregate the Duties of Each Build Worker + +### Tool capability + +- define scope of each build worker +- attest to which build worker performs each action +- verify that build workers follow the policy + +### Tools + +- in-toto +- Tekton (Pipelines) + +## 15. Pass in Build Worker Environment and Commands + +### Tool capability + +- provision build workers with environment and commands within a hermetic build environment + +### Tools + +- in-toto (can be validated via runtime trace attestations) +- Tekton (Pipelines) + +## 16. Write Output to a Separate Secured Storage Repo + +### Tool capability + +- secured storage repo + +### Tools + +- Sigstore (Rekor) +- in-toto (depending on where you put the in-toto metadata) + +## 17. Only allow pipeline modifications through "pipeline as code" + +### Tool capability + +- attest to pipeline state and modifications +- verify that pipeline modifications are made through pipeline as code +- ensure pipeline goes through source control + +### Tools + +- SLSA (level 3) +- Tekton (Pipelines) + +## 18. Define user roles + +### Tool capability + +- define user roles +- attest to role for each action +- enforce user roles + +### Tools + +- in-toto + +## 19. Follow established practices for establishing a root of trust from an offline source + +### Tool capability + +- securely distribute root of trust +- chain from existing trusted root + +### Tools + +- TUF + +## 20. Use short-lived Workload Certificates + +### Tool capability + +- create short-lived certificates +- verify short-lived certificates using their validity period +- verify that workload certificates are short-lived + +### Tools + +- in-toto (integrates with SPIFFE/SPIRE) +- SPIFFE +- Tekton (TEP to integrate with SPIRE) + +## 21. Deploy monitoring tools to software factory to detect malicious behaviour + +### Tool capability + +- runtime monitoring +- analysis of built artifacts + +### Tools + +- in-toto (runtime trace attestations generated using tools like tetragon) +- SPIFFE +- Tekton (TEP to integrate with SPIRE) diff --git a/publications/supply-chain-security-tools/securing-deployments.md b/publications/supply-chain-security-tools/securing-deployments.md index 13d85f9d5..f37396ebc 100644 --- a/publications/supply-chain-security-tools/securing-deployments.md +++ b/publications/supply-chain-security-tools/securing-deployments.md @@ -1,31 +1,42 @@ # Securing Deployments {{% blocks/lead color="white" align="left" %}} -Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +Here are the list of requirements for securing deployments. Each one has a list of tools used to achieve it. {{% /blocks/lead %}} -## 1. Require signed commits +## 1. Ensure clients can perform Verification of Artefacts and associated metadata -## 2. Enforce full attestation and verification for protected branches +### Tool capability -## 3. Prevent committing secrets to the source code repository +- perform client verification -## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions +### Tools -## 5. Automate software security scanning and testing +- Sigstore (cosign) +- in-toto (in-toto implementations support verification of metadata against layouts) +- TUF +- Tekton (chains with sigstore) +- Kyverno (Kyverno policies validate artifacts and metadata) -## 6. Establish and adhere to contribution policies -## 7. Define roles aligned to functional responsibilities +## 2. Ensure clients can verify the "freshness" of files -## 8. Enforce an independent four-eyes principle +### Tool capability -## 9. Use branch protection rules +- verify freshness of files -## 10. Enforce MFA for accessing source code repositories +### Tools -## 11. Use SSH keys to provide developers access to source code repositories +- Sigstore (Rekor) +- TUF -## 12. Have a Key Rotation Policy +## 3. Use The Update Framework -## 13. Use short-lived/ephemeral credentials for machine/service access +### Tool capability + +- support TUF metadata creation +- support TUF metadata verification + +### Tools + +- TUF diff --git a/publications/supply-chain-security-tools/securing-materials.md b/publications/supply-chain-security-tools/securing-materials.md index 6e6e1025d..78b8e2a37 100644 --- a/publications/supply-chain-security-tools/securing-materials.md +++ b/publications/supply-chain-security-tools/securing-materials.md @@ -1,31 +1,109 @@ # Securing Materials {{% blocks/lead color="white" align="left" %}} -Here are the list of requirements for securing the source code. Each one has a list of tools used to achieve it. +Here are the list of requirements for securing materials. Each one has a list of tools used to achieve it. {{% /blocks/lead %}} -## 1. Require signed commits +## 1. Verify third party artefacts and open source libraries -## 2. Enforce full attestation and verification for protected branches +### Tool capability -## 3. Prevent committing secrets to the source code repository +- attest to review +- verify review attestations -## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions +### Tools -## 5. Automate software security scanning and testing +- in-toto (can be validated via alpha-omega attestations, review attestations) -## 6. Establish and adhere to contribution policies -## 7. Define roles aligned to functional responsibilities +## 2. Require SBOM from third party supplier -## 8. Enforce an independent four-eyes principle +### Tool capability -## 9. Use branch protection rules +- generate accurate SBOM +- verify SBOM existence +- verify SBOM accuracy -## 10. Enforce MFA for accessing source code repositories +### Tools -## 11. Use SSH keys to provide developers access to source code repositories +- _none_ -## 12. Have a Key Rotation Policy +## 3. Track dependencies between open source components -## 13. Use short-lived/ephemeral credentials for machine/service access +### Tool capability + +- create accurate SBOM +- update SBOM + +### Tools + +- _none_ + +## 4. Build libraries based upon source code + +### Tool capability + +- attest to build +- verify attestation of build +- maintain list of trusted sources for built software +- attestation from third-party builder/distributor +- publish hashes for pre-built software + +### Tools + +- in-toto +- apko + +## 5. Define and prioritize trusted package managers and repositories + +### Tool capability + +- define trusted/prioritized repositories +- enforce the priority + +### Tools + +- TUF + +## 6. Generate an immutable SBOM of the code + +### Tool capability + +- generate an accurate SBOM (signed) + +### Tools + +- in-toto (SBOM attestations) +- apko + +## 7. Scan software for vulnerabilities + +### Tool capability + +- scan the software + +### Tools + +- in-toto + +## 8. Scan software for license implications + +### Tool capability + +- scan the software + +### Tools + +- _none_ + +## 9. Run software composition analysis on ingested software + +### Tool capability + +- run software composition analysis +- ingest an SBOM +- verify an SBOM's claims + +### Tools + +- _none_ diff --git a/publications/supply-chain-security-tools/securing-source-code.md b/publications/supply-chain-security-tools/securing-source-code.md index 1441f6b08..7476b7305 100644 --- a/publications/supply-chain-security-tools/securing-source-code.md +++ b/publications/supply-chain-security-tools/securing-source-code.md @@ -6,12 +6,12 @@ Here are the list of requirements for securing the source code, which is a subca ## 1. Require signed commits -
Tool capability
+### Tool capability -- Sign commits -- Verify signed commits +- sign commits +- verify signed commits -
Tools
+### Tools - Sigstore (gitsign) - gittuf @@ -19,32 +19,138 @@ Here are the list of requirements for securing the source code, which is a subca ## 2. Enforce full attestation and verification for protected branches -
Tool capability
+### Tool capability -- Monitor protected branches +- monitor protected branches -
Tools
+### Tools - gittuf ## 3. Prevent committing secrets to the source code repository +### Tool capability + +- check commits +- verify that no secrets are in the repository + +### Tools + +- _none_ + ## 4. Define individuals/teams that are responsible for code in a repository and associated coding conventions +### Tool capability + +- verifying coding conventions + +### Tools + +- GitHub +- gittuf +- GUAC + ## 5. Automate software security scanning and testing +### Tool capability + +- scan software +- perform tests +- automation at build time +- automation at production time +- determine what to do with scan results + +### Tools + +- in-toto (test result attestations) + ## 6. Establish and adhere to contribution policies +### Tool capability + +- check for contribution guidelines +- DCO + +### Tools + +- GitHub + ## 7. Define roles aligned to functional responsibilities +### Tool capability + +- none + +### Tools + +- GitHub +- gittuf + ## 8. Enforce an independent four-eyes principle +### Tool capability + +- require review before merge +- attest to a review +- verify attestation of review + +### Tools + +- SLSA (level 4) +- in-toto (threshold of human review attestations) +- GitHub + + ## 9. Use branch protection rules +### Tool capability + +- verify branch protection is turned on over time + +### Tools + +- GitHub +- gittuf + ## 10. Enforce MFA for accessing source code repositories +### Tool capability + +- enable MFA +- verify MFA is enabled for all contributors + +### Tools + +- GitHub + ## 11. Use SSH keys to provide developers access to source code repositories +### Tool capability + +- enforce that ssh keys are used (and disable https) + +### Tools + +- GitHub + ## 12. Have a Key Rotation Policy +### Tool capability + +- key expiration +- key distribution/PKI for ssh + +### Tools + +- gittuf + ## 13. Use short-lived/ephemeral credentials for machine/service access + +### Tool capability + +- require short-lived credentials + +### Tools + +- SPIFFE (maybe, spiffe does short-lived credentials, but not sure if anyone is using this for source code repos) +