Conference:  Cloud Native SecurityCon North America 2022

Authors: Parth Patel, Shripad Nadgowda

2022-10-25

Container build is arguably one of the most security sensitive operations in the whole application supply chain spectrum, which has largely remained opaque to date. It is typically implemented as a multi-stage process in the Continuous Integration (CI) pipeline that includes cloning the source code, resolving and downloading dependencies, compiling and packaging applications and finally publishing the built artifacts. To establish trust in the final built artifact, it is not sufficient to ensure security guarantees around just the built artifact, but it is critical to provide provenance and integrity assurance for every action in the pipeline that went into building that artifact. While tools, such as Tekton Chains, provide visibility into the steps that were performed and components that were used during the build process, we are still missing the lower level syscalls that were made. In this presentation, Parth and Shripad will present an open framework using tetragon to bring out-of-band runtime visibility and provide automated attestation for tekton based CI pipeline.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Cole Kennedy

2022-10-24

Witness is an open-source project that allows software producers to make and verify attestations about the software they produce, making it easy to produce verifiable evidence for software builds. Archivist is a platform that stores these attestations. The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build.

• Witness implements the internal specifications and allows software producers to make and verify attestations about the software they produce
• It has integrations with open-source projects such as Sig store, Inspire, GitHub, and GitLab
• Witness makes it easy to produce verifiable evidence for software builds
• It supports both containerized and non-containerized workloads
• Archivist stores these attestations
• The goal is to automate pipeline compliance and ensure that the build materials that are expected to go into the build actually do go into that build