Supply Chain Security
SLSA Framework Implementation
Build Level Requirements
# Example SLSA Level 3 Build Definition
steps:
- name: Build with provenance
uses: slsa-framework/slsa-github-generator@v1
with:
base-image: 'alpine:3.19'
provenance-name: 'multiple'
private-key: ${{ secrets.SLSA_PRIVATE_KEY }}
Binary Authorization
Admission Controller Configuration
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SignedImages
metadata:
name: require-signed-images
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
authorities:
- keyless:
url: "spiffe://cluster.local/ns/cosign-system/sa/cosign"
identities: ["*"]
Artifact Signing
Cosign Implementation
# Generate keypair
cosign generate-key-pair
# Sign container image
cosign sign --key cosign.key ${IMAGE_URI}
# Verify signature
cosign verify --key cosign.pub ${IMAGE_URI}
Software Bill of Materials (SBOM)
Syft Integration
name: Generate SBOM
on:
push:
branches: [ main ]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate SBOM
uses: anchore/syft-action@v0.7.0
with:
image: ${{ env.IMAGE_NAME }}
format: spdx-json
output: sbom.json
Secure Build Systems
Reproducible Builds
Deterministic compilation
Source verification
Build environment isolation
Artifact provenance
Attestation Management
In-toto attestations
Policy enforcement
Chain of custody
Trust boundaries
Best Practices
Dependency Management
Use private artifact repositories
Implement dependency pinning
Regular vulnerability scanning
Automated updates
Build Security
Hermetic builds
Build reproducibility
Environment isolation
Resource integrity
Artifact Management
Signature verification
SBOM generation
Provenance tracking
Policy enforcement
Last updated