Securing Your Container Native Supply Chain with SLSA, Github and Tekton

The presentation discusses practical steps to secure container native build systems using SLSA, Github, and Tekton.

• SLSA is a framework used to quantify the security of supply chains
• Sixdoor is a project used for signing and verification
• SLSA and Sigstore are brought together to achieve higher security levels in Tecton and Github workflows
• Demos are provided for each platform

The npm caller package attack is used as an example of the importance of securing supply chains. The attack involved a maintainer adding an infinite loop to the package, which was pushed directly to the npm registry and affected around 9 million projects.

Supply chain security has been a huge topic of discussion in recent months, and protecting your supply chain has become more important than ever. In this talk, Laurent Simon and Priya Wadhwa will discuss how to practically apply the principles of SLSA to secure your container native build system. They’ll start by covering how to use the in-toto project to create and verify source code attestations. They’ll also do a step-by-step demo of achieving SLSA Level 2 in common build systems like Tekton and Github Actions. If you’ve been wanting to secure your supply chain, but haven’t known where to start, then this talk is for you! Priya has given a related talk at SupplyChainSecurityCon on integrating Sigstore with Tekton. That talk focused on the theoretical integration, and this talk will practically show users how to secure an existing Tekton instance. This talk will also cover other build systems (e.g. Github Actions) which users may be using as part of their cloud native deployments.Click here to view captioning/translation in the MeetingPlay platform!