SupplyChainSecurityCon 2022

Tekton, a cloud native solution for building CI/CD systems, has made great strides in achieving SLSA Level 1 (​​unsigned provenance) and 2 (hosted source/build, signed provenance) with the inclusion of Tekton Chains. Part of attaining higher SLSA levels include protecting and holding the build systems we use accountable. A requirement of SLSA level 3 is non-falsifiable provenance, which states that build system provenance should not be falsifiable by build service’s users - i.e. protecting against cluster administrators. With the integration SPIFFE/SPIRE, Tekton can achieve this capability. SPIFFE/SPIRE provides Tekton with short-lived certificates (backed by workload attestation), that are used to sign build results and status updates (through the TaskRun object). This results in the ability to provide and verify provenance of the build steps, ensuring that they are cryptographically protected against edits not performed by the Tekton Trusted Computing Base (TCB). In this presentation we will show this in action and sabotage our own pipelines to visualize non-falsifiable provenance.

Dates

Author

Conferences

Tags

Road to SLSA3: Non-falsifiable Provenance in Tekton with SPIFFE/SPIRE

tldr - powered by Generative AI