The presentation discusses practical steps to secure container native build systems using SLSA, Github, and Tekton.
- SLSA is a framework used to quantify the security of supply chains
- Sixdoor is a project used for signing and verification
- SLSA and Sigstore are brought together to achieve higher security levels in Tecton and Github workflows
- Demos are provided for each platform
The npm caller package attack is used as an example of the importance of securing supply chains. The attack involved a maintainer adding an infinite loop to the package, which was pushed directly to the npm registry and affected around 9 million projects.