Skip to content

Lab/Example - Link to the KubeCon CloudNativeCon NA 2024

License

Notifications You must be signed in to change notification settings

AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

KubeCon CloudNativeCon NA 2024 Supply Chain Security Lab

Lab/Example repository linked to KubeCon CloudNativeCon NA 2024.

Overview

This lab demonstrates a supply chain security example using container images and npm packages. It includes building, attesting, and pushing container images and npm packages, as well as verifying SLSA/in-toto attestations.

Technologies Used:

  • SLSA (Supply-chain Levels for Software Artifacts): A security framework providing a checklist of standards and controls to prevent tampering and improve software supply chain integrity.
  • in-toto: A framework for securing the integrity of software supply chains.
  • Cosign: A tool for container signing, verification, and storage in an OCI registry.
  • Sigstore: An open-source project that provides a standard for signing, verifying, and protecting software.
  • GitHub Actions: Automate, customize, and execute your software development workflows.

Note

This lab repository is linked to a KubeCon/CloudNativeCon talk. More information and slides are available at: Event Link

Prerequisites

  • Docker: For building and running container images.
  • Node.js and npm: For building and publishing npm packages.
  • GitHub CLI (gh): For verifying attestations. Installation Guide
  • Cosign CLI: For verifying signatures and attestations. Installation Guide
  • jq utility: For parsing JSON data in the command line. Installation Guide

Table of Contents

Build Side

Inside this repository, you can find two build and publish workflows: one for the container image and one for the npm package.

Each of these workflows builds, attests, and publishes their build output.

Caution

It's important to generate and sign the attestation inside the job performing the build to avoid any modification outside of the job execution.

Container Image

For the container image, you can use GitHub's Attest/Provenance feature to easily integrate with Cosign and in-toto. Inside the docker workflow, the following section handles the attestation:

- name: Generate container image attestation
  uses: actions/attest-build-provenance@v1
  with:
    subject-name: ghcr.io/${{ env.CONTAINER_IMAGE_NAME }}
    subject-digest: ${{ steps.build-and-push.outputs.digest }}
    push-to-registry: true

Tip

More information about the GitHub Attestation action based on Cosign/in-toto can be found here: Using artifact attestations to establish provenance for builds

NPM Package

In the NPM workflow, attestation is handled directly by the npm CLI, leveraging the OIDC provider of GitHub Actions with the --provenance flag:

npm publish --provenance --access public

Tip

More information about NPM provenance: Generating provenance statements

Runtime Side

When using the container image or the npm package, you can verify the attestation of these artifacts.

Container Image Verification

You can use the cosign or the GitHub CLI to verify the attestation. Here’s how to do it using the GitHub CLI:

gh attestation verify oci://ghcr.io/aenguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab@sha256:bba3fe3dd187e4a5ba2f3698e2396567326062fa --owner aenguerrand

If the verification is successful, you will see output similar to:

Loaded digest sha256:a70076b4b04e9c31938e698aba676012924c22d766ad83bf9c4c28d40be6a3bc for oci://ghcr.io/aenguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab@sha256:bba3fe3dd187e4a5ba2f3698e2396567326062fa
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:a70076b4b04e9c31938e698aba676012924c22d766ad83bf9c4c28d40be6a3bc was attested by:
REPO                                                                  PREDICATE_TYPE                  WORKFLOW                                     
AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab  https://slsa.dev/provenance/v1  .github/workflows/docker.yaml@refs/heads/main

NPM Package Verification

For the NPM package, you can perform an initial check using the npm CLI:

  1. Install the package:

    npm install @aenguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab
  2. Run the audit:

    npm audit signatures

Alternatively, use the cosign CLI to verify the attestation:

  1. Download the package if you haven't already:

    curl -O https://registry.npmjs.org/@aenguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab/-/kubecon-cloudnativecon-na-2024-supply-chain-security-lab-0.1.0.tgz
  2. Retrieve the attestation from the npm registry:

    curl https://registry.npmjs.org/-/npm/v1/attestations/@aenguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab@0.1.0 | \
    jq '.attestations[] | select(.predicateType=="https://slsa.dev/provenance/v1").bundle' > npm-provenance.sigstore.json
  3. Verify the attestation:

    cosign verify-blob-attestation \
      --bundle npm-provenance.sigstore.json \
      --new-bundle-format \
      --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
      --certificate-identity="https://github.com/AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab/.github/workflows/npm.yaml@refs/heads/main" \
      kubecon-cloudnativecon-na-2024-supply-chain-security-lab-0.1.0.tgz

If the verification is successful, you will see:

Verified OK

If not, you will receive an error message indicating the mismatch. For example:

Error: failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SAN value "https://github.com/AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab/.github/workflows/npm.yaml@refs/heads/dev", got "https://github.com/AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab/.github/workflows/npm.yaml@refs/heads/main"
main.go:74: error during command execution: failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SAN value "https://github.com/AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab/.github/workflows/npm.yaml@refs/heads/dev", got "https://github.com/AEnguerrand/kubecon-cloudnativecon-na-2024-supply-chain-security-lab/.github/workflows/npm.yaml@refs/heads/main"

Tip

More information about Cosign verification for different kinds of registries can be found here: Cosign verify bundles

Additional Resources

About

Lab/Example - Link to the KubeCon CloudNativeCon NA 2024

Topics

Resources

License

Stars

Watchers

Forks

Packages