Add pages for Supply Chain Security Tools Mappings

ci/spelling-config.json

@@ -60,6 +60,8 @@
         "frontmatter",
         "Gamal",
         "gconv",
+        "gitsign",
+        "gittuf",
         "GUAC",
         "helm",
         "HIPAA",

publications/supply-chain-security-tools/README.md

@@ -0,0 +1,11 @@
+# Supply Chain Security Tools Mappings
+
+{{% blocks/lead color="white" align="left" %}}
+Find out what tools are used to secure the supply chain. Explore the general requirement categories below.
+{{% /blocks/lead %}}
+
+1. [Securing the Source Code](securing-source-code.md)
+2. [Securing Materials](securing-materials.md)
+3. [Securing Build Pipelines](securing-build-pipelines.md)
+4. [Securing Artifacts](securing-artifacts.md)
+5. [Securing Deployments](securing-deployments.md)

publications/supply-chain-security-tools/securing-artifacts.md

@@ -0,0 +1,108 @@
+# Securing Artifacts
+
+{{% blocks/lead color="white" align="left" %}}
+Here are the list of requirements for securing artifacts. Each one has a list of tools used to achieve it.
+{{% /blocks/lead %}}
+
+## 1. Sign Every Step in the Build Process
+
+### Tool capability
+
+- sign attestations for every step in the build process
+- define all expected steps in the build process with identities
+
+### Tools
+
+- SLSA (level 1)
+- in-toto
+- Tekton (chains)
+
+## 2. Validate the Signatures Generated at Each Step
+
+### Tool capability
+
+- verify attestations of every step
+
+### Tools
+
+- in-toto
+- Kyverno (signatures of output images are verified before running containers)
+
+## 3. Use TUF/Notary to manage signing of artefacts
+
+### Tool capability
+
+- delegate trust for specific artifacts to specific developers
+- enable developer signing of metadata
+- prevent rollback attacks on developer signatures
+
+### Tools
+
+- TUF
+- Tekton (chains uses Sigstore)
+- Kyverno (Kyverno supports Sigstore)
+
+## 4. Use a store to manage metadata from in-toto
+
+### Tool capability
+
+- store in-toto metadata
+
+### Tools
+
+- Sigstore (Rekor?)
+- in-toto (integrated with Rekor, Grafeas, Archivist etc.)
+- Tekton (chains)
+
+
+## 5. Limit which artefacts any given party is authorized to certify
+
+### Tool capability
+
+- specify trusted entities for each artifact in policy
+- enforce this limitation
+
+### Tools
+
+- in-toto
+- TUF
+- Kyverno (Kyverno policy on who is trusted for each signature)
+
+
+## 6. Build in a system for rotating and revoking private keys
+
+### Tool capability
+
+- change policy to revoke a trusted key
+- change policy to rotate a trusted key
+- communicate these changes to users
+
+### Tools
+
+- Sigstore (Fulcio)
+- in-toto (in-toto layouts can rotate and revoke keys for attestations, layout keys are managed separately such as by using TUF)
+- TUF
+- SPIFFE
+
+## 7. Use a container registry that supports OCI image-spec images
+
+### Tool capability
+
+- follow the OCI spec
+
+### Tools
+
+- Sigstore (cosign)
+- Tekton (Pipelines and Chains)
+- Kyverno (Kyverno works with OCI registries)
+
+## 8. Encrypt artefacts before distribution & ensure only authorized platforms have decryption capabilities
+
+### Tool capability
+
+- create policy for which platforms have decryption capabilities
+- enforce this policy
+
+### Tools
+
+- _none_