Protecting Ourselves from CNCFgate. Software Supply Chain Security at CNCF - Practices, and Tools - Andres Vega & Emily Fox, CNCF SIG

Authors:   Emily Fox, Andres Vega, Jonathan Meadows


The presentation discusses the importance of securing supply chains in software development and recommends various technologies and approaches to achieve this.
  • Supply chains in software development can be complex and extend beyond the software factory, requiring collection and storage of metadata about artifacts and validation of signed artifacts backed by transparency log technologies.
  • Behavior analysis and reproducible builds are recommended for ensuring the security of the build stage in the pipeline.
  • CNCf projects like In Toto and Notary can be used to sign metadata and final software artifacts for deployment and distribution.
  • Key material generation using technologies like SPIFFY can help minimize the attack surface and window for compromise.
  • The presentation calls for community participation in the Secure Supply Chain Working Group to develop a reference architecture and framework of common tools and templates.
  • An anecdote is not provided.


As the complexity of our software systems grows – and they ingest more and more dependencies to deliver their functionality – the supply chain becomes more complex, and thus more difficult to secure. The industry is forming a consensus around a baseline set of properties for a secure software supply chain, yet these are not enough to protect against some of the high-profile attacks we have seen in recent years. In some cases they may not even have made detection easier. The industry needs to do better, we need to do better. An attacker who compromises a software supply chain can greatly increase the blast radius of their attack to all eventual users of the system. In some cases the exploits are overlooked or unintended bugs; some others have been known to be more deliberate and insidious (most recently, SunBurst/Solarigate).This presentation shares the experience of the CNCF SIG-Security Supply Chain Working Group with particular attention to intricacies and sharp edges of the practice of creating and maintaining a tightly-secured software supply chain.