forked from slsa-framework/slsa
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'slsa-framework:main' into main
- Loading branch information
Showing
4 changed files
with
67 additions
and
9 deletions.
There are no files selected for viewing
58 changes: 58 additions & 0 deletions
58
docs/_posts/2023-06-13-slsa-github-worfklows-container-based.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
--- | ||
title: "Announcing Container-based SLSA 3 Builder on GitHub Actions" | ||
author: "Asra Ali, Razieh Behjati, Tiziano Santoro (Google)" | ||
is_guest_post: false | ||
--- | ||
|
||
Following the recent [launch of SLSA v1.0](https://openssf.org/press-release/2023/04/19/openssf-announces-slsa-version-1-0-release/), we’re announcing a new, [GitHub Actions workflow](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker) that achieves SLSA Build Track Level 3 for provenance generation. This lets users generate [unforgeable provenance](/spec/v1.0/requirements#provenance-unforgeable), allowing consumers to trust _and_ verify how their software artifacts were built. The container-based SLSA 3 builder is the result of a collaboration between the Google Open Source Security Team (GOSST), the SLSA community, and [Project Oak](https://github.com/project-oak/oak). | ||
|
||
# **How it works** | ||
|
||
The new container-based SLSA 3 builder runs a containerised build in a secure environment and generates an unforgeable provenance statement of the execution, all in an ecosystem-agnostic way that’s easy to add to your GitHub CI. | ||
|
||
To ensure unforgeability of provenance, the container-based SLSA 3 builder uses the same secure build mechanisms used in other SLSA builders and generators, relying on GitHub reusable workflows and ephemeral VM containers for isolation. For more details, see the [technical design document](https://github.com/slsa-framework/slsa-github-generator/blob/main/SPECIFICATIONS.md). As before, we rely on OpenID Connect (OIDC) with [Sigstore](https://www.sigstore.dev/) tooling to prove the identity of the workflow. These provide the workflow identity guarantees described in [an earlier blog post](https://security.googleblog.com/2022/04/improving-software-supply-chain.html) that announced the generic SLSA 3 generator. | ||
|
||
The builder allows a developer to run a custom command in [a container](https://opencontainers.org/) in a secure environment, which gives the developer full control of the environment and customization of the container’s function. For example, the developer may choose to use the command to build a binary artifact, or produce metadata like [OpenSSF’s Scorecard](https://securityscorecards.dev/) reports. | ||
|
||
## **Enhanced provenance verification with the new workflow** | ||
|
||
The container-based SLSA 3 builder differs from earlier builders and generators in the content of the generated provenance statements, and therefore how they can be verified. Like all provenance generated by all SLSA 3 builders and generators, you can trace the binary to its source code and verify the builder’s identity---and now, you can additionally perform detailed verification of the build process. | ||
|
||
For instance, the provenance produced by the generic [SLSA 3 provenance generator minimally contains](/_posts/2022-08-29-slsa-github-workflows-generic-ga) the source GitHub repository and a reference to the workflow file that built the artifact. This workflow may contain any operation, ranging from copying a pre-built binary from another resource to running a massive build script. Because the provenance does not include these details, verifiers need to audit the referenced workflow file to establish trust in the build process. | ||
|
||
The container-based SLSA 3 builder simplifies and enhances provenance verification by including the build process directly inside the provenance. This is enabled by a Docker-based build tool used internally in the container-based SLSA 3 builder for building the binaries and the new SLSA v1.0 provenance format. In particular, it includes the builder image and command directly inside the build definition: | ||
|
||
```json | ||
"buildDefinition":{ | ||
"buildType":"https://slsa.dev/container-based-build/v0.1?draft", | ||
"externalParameters":{ | ||
"source":{ | ||
"uri":"git+https://github.com/slsa-framework/[email protected]", | ||
"digest":{ | ||
"sha1":"ca220e54c07b6fcdd758184a12c132ee3ae531f1" | ||
} | ||
}, | ||
"builderImage":{ | ||
"uri":"rust@sha256:74ad9d14ec89bc4e83bf2a3d007fd981513ee4b44279b40d3a90c001a6ca938c", | ||
"digest":{ | ||
"sha256":"74ad9d14ec89bc4e83bf2a3d007fd981513ee4b44279b40d3a90c001a6ca938c" | ||
} | ||
}, | ||
"configPath":".github/configs-docker/release-config.toml", | ||
"buildConfig":{ | ||
"ArtifactPath":"target/release/my-rust-app", | ||
"Command":[ | ||
"cargo", "build", "--release" | ||
] | ||
} | ||
} | ||
} | ||
``` | ||
|
||
# **Next Steps** | ||
|
||
If your builds are already containerized, we encourage you to give the container-based SLSA 3 builder a try---see the step-by-step guide in our [onboarding tutorial.](https://github.com/project-oak/hello-transparent-release/blob/main/README.md) Otherwise, we suggest containerizing your build, which also improves the [reproducibility](https://reproducible-builds.org/) of your binaries, and adopting the container-based SLSA 3 builder. | ||
|
||
Once you have generated a SLSA provenance with the container-based SLSA 3 builder, the next step to complete the lifecycle is to provide instructions to [verify the artifacts](/spec/v1.0/verifying-artifacts), including using the [slsa-verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance. If you are using these artifacts in your own build pipeline, consider threat modeling your software supply chain and [building expectations](/spec/v1.0/verifying-artifacts#forming-expectations) for your build origins and process. | ||
|
||
Please share your success stories with us by creating a pull request to add your project to [the list of container-based SLSA 3 users](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/docker/README.md#users). Feel free to create issues on the [repository](https://github.com/slsa-framework/slsa-github-generator) if you have noticed any issues, or are missing features you need. We look forward to fulfilling new requests and accepting new contributors to create even more useful features going forward. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
--- | ||
layout: redirect | ||
redirect_to_url: https://docs.google.com/document/d/1cx3fOBfic6A0xc2on25ITK4vQHUdxgBmJoSS1LPqDJo/edit | ||
redirect_to_url: https://docs.google.com/document/d/1JbJZxeZOWE7rxT24iEozX35LIUl_Yoqd-DeSm6309GA/edit | ||
sitemap: false | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
--- | ||
layout: redirect | ||
redirect_to_url: https://docs.google.com/document/d/1kMP62o3KI0IqjPRSNtUqADodBqpEL_wlL1PEOsl6u20/edit | ||
redirect_to_url: https://docs.google.com/document/d/1PwhekVB1iDpcgCQRNVN_aesoVdOiTruoebCs896aGxw/edit | ||
sitemap: false | ||
--- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters