Chainguard and CNCF conduct SLSA assessments for Argo and Prometheus projects
Chainguard recently worked with Cloud Native Computing Foundation (CNCF) to conduct software supply chain security assessments of two graduated CNCF projects, Argo and Prometheus. Ensuring the foundations of open source software projects are applying best practices and principles for supply chain security is critical. Chainguard was happy to partner with CNCF on this endeavor to help the community continue to improve the software security of widely used projects.
Both software supply chain security assessments followed the Supply-Chain Levels for Software Artifacts (SLSA, pronounced salsa) framework to assess the software supply chain security practices of the Argo CD and Prometheus projects. SLSA, which is maintained within the Open Source Security Foundation, defines levels of software supply chain integrity and a set of practices to achieve these levels. Version 0.1 of SLSA (at the time of writing, a 1.0 specification has been announced) emphasizes a set of software supply chain security practices that deal with source code, the build process, and provenance with an emphasis on machine-readability and machine-verifiability. These SLSA assessment efforts build on the security work CNCF has been doing with independent security audits with OSTIF and fuzzing audits with ADA Logics and address a crucial aspect of security health in the software supply chain.
Here’s a look at some of the main findings in the assessments:
The Chainguard assessment team concluded that the source, build, and provenance portions of the Argo CD supply chain all achieved SLSA level 3.
The Chainguard assessment of Prometheus found the project yielded SLSA Level 3 for both Source and Build sections.
Provenance is an important piece of the supply chain that allows the consumers of an artifact to verify its authenticity. The Chainguard assessment team recommends that the Prometheus maintainers implement provenance generation within the Prometheus build infrastructure.
The full reports can be found on the Argo CD and Prometheus GitHub pages. Thank you to CNCF and the Argo and Prometheus maintainers for their collaboration on the SLSA assessments and their commitment to strengthening software supply chain security.
Organizations interested in a software supply chain security assessment can contact Chainguard. And anyone interested in education materials on SLSA can find them on Chainguard Academy.
Share this article
Related articles
- News
Anchore Enterprise now validates Chainguard Libraries: prevent 98% of Python malware and eliminate high-severity CVE toil
Tazin Progga, Senior Product Manager, and Ross Gordon, Staff Product Marketing Manager
- News
Chainguard Joins IBM PDE Factory to Advance Trusted Open Source Software for Public Sector Missions
Tom White, Senior Director, Public Sector Partnerships
- News
Chainguard + Booz Allen: Delivering Trusted Open-Source Software to U.S. Government Agencies
Tom White, Senior Director, Public Sector Partners
- News
Chainguard Named on the Cloud 100 and a Best Workplace in 2025
Liz Egan, Chief Marketing Officer
- News
The Chainguard Slack Community is Here!
Kirby Koo, Corporate Marketing
- News
Exploring the Chainguarden at Black Hat USA 2025
Courtney Bennett, Director, Strategic Events