How’s Your Supply Chain with Your Insecure OSS Ingestion?

The presentation discusses the development of an open source ingestion system for the npm ecosystem using AWS eks and Tecton pipelines.

• The system runs various checks on packages, including the Intel scorecard check and signature verification.
• The system also checks for vulnerabilities and runs policy checks using Opa.
• Failed packages are either denied or put into quarantine.
• Provenance is created using Tecton chains and stored in DynamoDB.
• The system is still in early alpha and feedback is welcome.

The presenter demonstrates the system by sending two packages, react and shadowquote, to the API and showing the progress on the Tecton dashboard.

OSS libraries can be used by anyone, but how does an enterprise secure what should, or more importantly, should not be used? The package/artifact managers are at best simple proxies, so security checking is mostly beyond them. Moreover, within enterprises, these tasks end up being manual. This talk will outline the additional checks that should/could be performed at ingestion and subsequently; continuous automated grooming of OSS artifacts. James will demonstrate the Continuous Secure Software Ingestion (CSSI) application, a policy driven system built on Tekton & Open Policy Agent (OPA), to perform continuous secure ingestion from any source, including Google AOS. He will also show the additional constraints that are placed on the downstream enterprise Software Composition Analysis (SCA) tooling to handle the data graph that this generates.