Spicing up Container Image Security with SLSA & GUAC

The presentation discusses the implementation of supply chain security using the Salsa framework and GitHub actions.

• The Salsa framework defines a set of security requirements for build systems, with increasing levels of security
• The framework also defines common terminology and a provenance format for metadata
• The Salsa GitHub generator project utilizes keyless signing and GitHub actions to achieve isolation between the build system and the build itself
• The project includes reusable workflows for generating provenance for file-based and container artifacts, as well as a Go builder for Go projects
• The Salsa verifier project verifies the provenance generated by trusted builders
• The presenter addresses questions about the project's compatibility with other CI systems and the possibility of verifying dependencies

The presenter explains that the Salsa GitHub generator project uses GitHub actions to isolate the build process and the generation and signing of provenance into separate build jobs. This allows for easier integration with other Sigstore tooling and ensures that the source code is the expected code built with the expected tags and builders.

Understanding and verifying the content of images that you deploy in production environments is difficult and error prone. Images could be built in an insecure environment, by a malicious actor, or include dependencies that are insecure. Users often don't have enough information to determine if images are trustworthy. Two new tools can help; Supply chain Levels for Software Artifacts (SLSA), and Graph for Understanding Artifact Composition (GUAC). In this talk attendees will learn how to add SLSA provenance metadata to their container images and strongly link images back to their source code on multiple build systems including GitHub Actions and Google Cloud Build. We will also cover how to verify images and their metadata before use; both when running locally and when running images in Kubernetes. Using policy engines like Kyverno and Sigstore policy-controller we can verify an image's source code repository, builder identity, build entry points, and more to protect production environments from malicious images. Finally we'll discuss how to understand your image's supply chain using GUAC. We'll discuss how we can combine SLSA with GUAC to better understand the contents and build provenance of your images from the base layers on down.