Open sourcing Octo STS
Credential leaks are one of the most common ways systems are compromised, the 2024 Verizon Data Breach Report found that 31% of all breaches over the past 10 years have involved the use of stolen credentials, and long-lived credentials are at the heart of that. To eliminate our need for long-lived credentials, we created and published a GitHub Application Octo STS.
Octo STS is a “Security Token Service” (STS) for GitHub credentials. The idea of an STS is largely inspired by the cloud providers like AWS and GCP, but other services have them too, including Chainguard. An STS exchanges a short-lived third-party token for a short-lived first-party token, after checking that the caller has permission to make the exchange.
Our previous post where we talk about our solution to solving this problem seems to have struck a chord, and the outreach and interest we have received has been nothing short of incredible.
We have heard a lot of: “We absolutely need something like this,” or, “We built something like this ourselves.”
Also very understandably, we have had folks express skepticism about the level of permissions that the app needs, as we called out in our previous post:
To address all of these, today we are happy to announce that we are open sourcing Octo STS. This repository contains all of the source code for Octo STS, as well as the infrastructure as code we use to deploy and monitor it.
For folks building something similar: let’s collaborate and build something better together. We have already gotten some fantastic ideas from folks in some of the discussions spurred by our previous post. If you are interested in collaborating, reach out to us.
For folks that want to adopt this, but are unsure about the permissions: this new repository will let you see what we are doing, as well as allow your team to host and manage its own instance.
We are currently building a Chainguard Image for Octo-STS and will share more about that once it is available. If you are interested in receiving updates on the availability of that image, reach out.
Share this article
Related articles
- Engineering
Accelerating Platform Adoption with Developer Trust
Chainguard helps Platform teams drive adoption with zero-CVE, customizable container images that make internal development platforms secure, fast, and trusted.
Sam Katzen, Staff Product Marketing Manager, and Matt Stead, Marketing
- Engineering
A Gift for the Open Source Community: Chainguard’s CVE-Free Raspberry Pi Images (Beta)
Chainguard has created the first-ever CVE-free, vulnerability-free Raspberry Pi image. Learn more about how it works and what makes this special.
Dustin Kirkland, SVP of Engineering
- Engineering
How CTOs Can Justify Technology Investments to the Board
Learn how CTOs can tie technology investments to increasing revenue, speeding innovation, and reducing risk and cost to drive positive business outcomes.
Matt Moore, CTO and Co-founder
- Engineering
Guest Post: Resiliency by Design and the Importance of Internal Developer Platforms
Gaurav Saxena, a Director of Engineering at an automotive company, talks through how internal developer platforms are an important part of resiliency by design.
Gaurav Saxena, Director of Engineering, Automotive Company
- Engineering
This Shit Is Hard: Hardening glibc
Chainguard uses compiler flags to be proactive in the security of our products. See how our compiler flag usage helped us catch a complex bug in glibc.
Sergio Durigan Junior, Senior Software Engineer
- Engineering
Announcing Kernel-Independent FIPS for Java
Kernel-Independent FIPS is now available across the full catalog of Chainguard FIPS images for Java, simplifying and accelerating compliance for FedRAMP ATO.
Dimitri John Ledkov, Principal Software Engineer, James Page, Principal Software Engineer, and John Slack, Senior Product Manager