How Citi is building the secure software factory with Sigstore and Tekton
Securing the software supply chain is of paramount importance to the tech industry today. However, it remains a big challenge as several best practices need to be implemented in order to successfully secure it. To give you an idea of the scale of the challenges, this whitepaper from the Cloud Native Computing Foundation (CNCF) outlines best practices for supply chain security. It breaks the problem space into 5 key areas (source code, dependencies, build pipelines, artifacts and deployments) and altogether documents a set of 54 best practices.
These set of practices can be very overwhelming to organizations starting out on this journey and have to ask themselves:
Where do you start?
Is there tooling that can help?
How do I pick the right path to go down?
The bad news is that you do need to figure out which of these practices matter for your particular organization and how you might approach tackling them. The good news is that there are some incredible open source tools emerging to help and folks from Citi have launched an amazing initiative to help put these all together.
The team at Citi has created a prototype implementation for a secure software supply chain. It is based on the upcoming CNCF's Secure Software Factory Reference Architecture and the Software Supply Chain Best Practices White Paper. The purpose of the project is to provide a set of tools, patterns, and policies in order to build artifacts with increased confidence around their authenticity and integrity, and with traceable provenance.
The Secure Software Factory uses best-in-class open source projects including Sigstore and Tekton. It was built with three key goals in mind:
Secure by default - the design and configuration were carefully crafted to provide a secure platform
SLSA ready - the platform implements SLSA guidelines to ensure software security and supply chain integrity
Simple & Fast - it takes one single command to deploy it all
Sigstore is a new standard for signing, verifying and protecting software. It is an OpenSSF project that dramatically simplifies signing through better automation and user-friendly tools for a safer chain of custody tracing software back to source. Tekton is a powerful and flexible open source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems. Tekton is a Continuous Delivery Foundation project that is one of the first CI/CD systems to be secure-native.
The table below outlines some of the key open source software projects used and what purpose they serve in the reference architecture:
Secure Supply Chain Component | Reference Architecture Project |
Automated Signing | |
Pipeline Framework (CI/CD pipelines) | |
Pipeline Observer | |
Admission Controller | |
Identity Attestation | |
Scheduling and Orchestration platform |
Michael Lieberman and Brad Beck from Citi showcased the project at a recent meeting of the OpenSSF’s Supply Chain Integrity working group.
The demo was well received by the community, and Citi's plan is to contribute this project to the OpenSSF Supply Chain Integrity working group. They will also be welcoming contributions and feedback from the wider community. It’s a well needed initiative and we encourage folks to check out the resources and get involved.
Resources:
Image credits:
Share this article
Related articles
- Open Source
Fork Yeah: We’re Bringing Kaniko Back
Chainguard is taking over the maintenance of the Kaniko project, recently deprecated by Google. Learn more about why we're doing it and what is next.
Priya Wadhwa, Senior Engineering Manager, Kim Lewandowski, Co-founder & CPO, and Dan Lorenc, Co-founder & CEO
- Open Source
Guardcraft: A Minecraft Java Server with Zero CVEs
We built a Minecraft Java server using a Chainguard Image, resulting in zero CVEs and a whole lot of fun!
Erika Heidi, Staff Developer Experience Engineer
- Open Source
Wolfi: a new paradigm in Linux for containers
Wolfi is a Linux distribution built specifically for containerized applications. See how it can speed up your development process.
Erika Heidi, Developer Experience Engineer
- Open Source
Kubeburned out? Navigating the world of Kubernetes without losing your spark
Want to contribute to Kubernetes but don't know where to start? Learn how to do it in a sustainable way.
Carlos Panato, Staff Software Engineer and Sascha Grunert, Senior Software Engineer, Red Hat
- Open Source
Unlocking efficiency and security on GitLab: On-demand images with 0-CVE packages powered by Wolfi
Experience secure, efficient GitLab operations with 0-CVE on-demand images, fueled by Wolfi OS.
Batuhan Apaydin and Furkan Türkal
- Open Source
VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX
Open source vulnerability scanner Grype has added support for OpenVEX, making software supply chain security easier. Learn how to implement it today.
Adolfo Veytia, Alex Goodman, Dan Luhring, and John Speed Meyers