Supply Chain Security

SLSA Framework Implementation

Build Level Requirements

# Example SLSA Level 3 Build Definition
steps:
  - name: Build with provenance
    uses: slsa-framework/slsa-github-generator@v1
    with:
      base-image: 'alpine:3.19'
      provenance-name: 'multiple'
      private-key: ${{ secrets.SLSA_PRIVATE_KEY }}

Binary Authorization

Admission Controller Configuration

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SignedImages
metadata:
  name: require-signed-images
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
  parameters:
    authorities:
    - keyless:
        url: "spiffe://cluster.local/ns/cosign-system/sa/cosign"
        identities: ["*"]

Artifact Signing

Cosign Implementation

# Generate keypair
cosign generate-key-pair

# Sign container image
cosign sign --key cosign.key ${IMAGE_URI}

# Verify signature
cosign verify --key cosign.pub ${IMAGE_URI}

Software Bill of Materials (SBOM)

Syft Integration

name: Generate SBOM
on:
  push:
    branches: [ main ]
jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Generate SBOM
        uses: anchore/syft-action@v0.7.0
        with:
          image: ${{ env.IMAGE_NAME }}
          format: spdx-json
          output: sbom.json

Secure Build Systems

Reproducible Builds

• Deterministic compilation

• Source verification

• Build environment isolation

• Artifact provenance

Attestation Management

• In-toto attestations

• Policy enforcement

• Chain of custody

• Trust boundaries

Best Practices

1. Dependency Management

   • Use private artifact repositories

   • Implement dependency pinning

   • Regular vulnerability scanning

   • Automated updates

2. Build Security

   • Hermetic builds

   • Build reproducibility

   • Environment isolation

   • Resource integrity

3. Artifact Management

   • Signature verification

   • SBOM generation

   • Provenance tracking

   • Policy enforcement