freundcloud

Supply Chain Security

SLSA Framework Implementation

Build Level Requirements

# Example SLSA Level 3 Build Definition
steps:
  - name: Build with provenance
    uses: slsa-framework/slsa-github-generator@v1
    with:
      base-image: 'alpine:3.19'
      provenance-name: 'multiple'
      private-key: ${{ secrets.SLSA_PRIVATE_KEY }}

Binary Authorization

Admission Controller Configuration

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: SignedImages
metadata:
  name: require-signed-images
spec:
  match:
    kinds:
    - apiGroups: [""]
      kinds: ["Pod"]
  parameters:
    authorities:
    - keyless:
        url: "spiffe://cluster.local/ns/cosign-system/sa/cosign"
        identities: ["*"]

Artifact Signing

Cosign Implementation

# Generate keypair
cosign generate-key-pair

# Sign container image
cosign sign --key cosign.key ${IMAGE_URI}

# Verify signature
cosign verify --key cosign.pub ${IMAGE_URI}

Software Bill of Materials (SBOM)

Syft Integration

name: Generate SBOM
on:
  push:
    branches: [ main ]
jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Generate SBOM
        uses: anchore/syft-action@v0.7.0
        with:
          image: ${{ env.IMAGE_NAME }}
          format: spdx-json
          output: sbom.json

Secure Build Systems

Reproducible Builds

  • Deterministic compilation
  • Source verification
  • Build environment isolation
  • Artifact provenance

Attestation Management

  • In-toto attestations
  • Policy enforcement
  • Chain of custody
  • Trust boundaries

Best Practices

  1. Dependency Management
    • Use private artifact repositories
    • Implement dependency pinning
    • Regular vulnerability scanning
    • Automated updates
  2. Build Security
    • Hermetic builds
    • Build reproducibility
    • Environment isolation
    • Resource integrity
  3. Artifact Management
    • Signature verification
    • SBOM generation
    • Provenance tracking
    • Policy enforcement