Chainguard recently worked with Cloud Native Computing Foundation (CNCF) to conduct software supply chain security assessments of two graduated CNCF projects, Argo and Prometheus. Ensuring the foundations of open source software projects are applying best practices and principles for supply chain security is critical. Chainguard was happy to partner with CNCF on this endeavor to help the community continue to improve the software security of widely used projects.
Both software supply chain security assessments followed the Supply-Chain Levels for Software Artifacts (SLSA, pronounced salsa) framework to assess the software supply chain security practices of the Argo CD and Prometheus projects. SLSA, which is maintained within the Open Source Security Foundation, defines levels of software supply chain integrity and a set of practices to achieve these levels. Version 0.1 of SLSA (at the time of writing, a 1.0 specification has been announced) emphasizes a set of software supply chain security practices that deal with source code, the build process, and provenance with an emphasis on machine-readability and machine-verifiability. These SLSA assessment efforts build on the security work CNCF has been doing with independent security audits with OSTIF and fuzzing audits with ADA Logics and address a crucial aspect of security health in the software supply chain.
Here’s a look at some of the main findings in the assessments:
The full reports can be found on the Argo CD and Prometheus GitHub pages. Thank you to CNCF and the Argo and Prometheus maintainers for their collaboration on the SLSA assessments and their commitment to strengthening software supply chain security.