Open sourcing Octo STS

Matthew Moore, CTO Chainguard
May 2, 2024

Credential leaks are one of the most common ways systems are compromised, the 2024 Verizon Data Breach Report found that 31% of all breaches over the past 10 years have involved the use of stolen credentials, and long-lived credentials are at the heart of that. To eliminate our need for long-lived credentials, we created and published a GitHub Application Octo STS.

Octo STS is a “Security Token Service” (STS) for GitHub credentials. The idea of an STS is largely inspired by the cloud providers like AWS and GCP, but other services have them too, including Chainguard. An STS exchanges a short-lived third-party token for a short-lived first-party token, after checking that the caller has permission to make the exchange.

Our previous post where we talk about our solution to solving this problem seems to have struck a chord, and the outreach and interest we have received has been nothing short of incredible.

We have heard a lot of: “We absolutely need something like this,” or, “We built something like this ourselves.”

Also very understandably, we have had folks express skepticism about the level of permissions that the app needs, as we called out in our previous post:

Screenshot of Unchained blog post with highlighted text: Octo STS has to have a superset of the permissions it is capable of handing out.

To address all of these, today we are happy to announce that we are open sourcing Octo STS. This repository contains all of the source code for Octo STS, as well as the infrastructure as code we use to deploy and monitor it.

For folks building something similar: let’s collaborate and build something better together. We have already gotten some fantastic ideas from folks in some of the discussions spurred by our previous post. If you are interested in collaborating, reach out to us.

For folks that want to adopt this, but are unsure about the permissions: this new repository will let you see what we are doing, as well as allow your team to host and manage its own instance.

We are currently building a Chainguard Image for Octo-STS and will share more about that once it is available. If you are interested in receiving updates on the availability of that image, reach out.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.