ci(.github)[SEC-1084]: SLSA supply chain security controls #170
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
saisatishkarra
force-pushed
the
feat/slsa
branch
19 times, most recently
from
50f22bf to
5c839cd
Compare
vsofronievk
approved these changes
Apr 25, 2024
saisatishkarra
force-pushed
the
feat/slsa
branch
5 times, most recently
from
c83353b to
659de25
Compare
ci(.github)[SEC-1109]: container image signing ci(.github)[SEC-1110]: container image provenance ci(.github)[SEC-1111]: generate container image sbom ci(.github)[SEC-1115]: perform sca analysis for code repository ci(.github)[SEC-1116]: perform container vulnerability scanning doc(readme): Add SLSA assets access and verification steps
saisatishkarra
force-pushed
the
feat/slsa
branch
from
659de25 to
38c42e6
Compare
saisatishkarra
requested review from
vsofronievk
and removed request for
vsofronievk
jackkav
approved these changes
Apr 26, 2024
filfreire
approved these changes
Apr 26, 2024
jackkav
reviewed
Apr 26, 2024
jackkav
approved these changes
Apr 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
New
release / tageventpush / prClarifications Needed
README.mdwith information on how to access and verify security assets.sha256:xxx.sig) && image provenance to DockerHub instead of GHCR to manage centrally. As of today, BOTH images and signatures are stored today in GHCR forkong/insomnia-mockbinexport COSIGN_REPOSITORY=<notary-repo>during image signature verification against DockerHub that can be added to readme.docker.io/kong/notary:public(for release tags)docker.io/kong/notary-internal:private(for master / nightly builds) and any future internal / PR buildsgenerated / produced / verifieduntil a draft release / tag event is created. Quick glance reveals no tags / releases were made since 2 years. I would need assistance from someone to merge this PR into master and / or create a dummy tag / release branch to verify the slsa work.Dependencies
id-token.Solution Docs
https://konghq.atlassian.net/wiki/spaces/KS/pages/3563356245/Design+-+SBOM+-+SYFT
https://konghq.atlassian.net/wiki/spaces/KS/pages/3576725784/Design+-+Provenance
https://konghq.atlassian.net/wiki/spaces/KS/pages/3576987745/Design+-+Container+Image+Signing
https://konghq.atlassian.net/wiki/spaces/KS/pages/3563782196/Design+-+SAST+SCA
JIRA / Tickets
ci(.github)SEC-1109: container image signing
ci(.github)SEC-1110: container image provenance
ci(.github)SEC-1111: generate container image sbom
ci(.github)SEC-1115: perform sca analysis for code repository
ci(.github)SEC-1116: perform container vulnerability scanning