slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[docs] Verifying provenance with OPA

Open ianlewis opened this issue 3 years ago • 2 comments

Docs on verifying provenance generated by the generic workflow with Open Policy Agent

ianlewis avatar Jun 24 '22 07:06 ianlewis

Getting OPA working will likely require a good amount of work. I don't see any SLSA verification tools yet and we would want one that works with Kubernetes and ideally isn't a lot more maintenance work than the existing Kubernetes Admission Control integraitons like gatekeeper.

Some problems so solve:

  1. implementation approach: add functionality to gatekeeper? or create a separate admission controller to verify SLSA provenance.
  2. policy format: OPA works well for simple verification on JSON data, but we will want to allow verification on other supplementary data like the signing key's subject and other metadata.
  3. policy packages: gatekeeper has several packages for making writing Kubernetes policies easier. Do we need anything like that?
  4. flexibility: We would want to make it flexible enough that it can work with sigstore etc. outside of just this project. i.e. Building on something other than Github. How would this be different from the existing sigstore policy-controller?

ianlewis avatar Jun 28 '22 03:06 ianlewis

Probably examples that use sigstore policy-controller with cue is a more practical goal for GA of the generic workflows.

ianlewis avatar Jun 28 '22 03:06 ianlewis

Moving off the milestone since OPA doesn't have support for SLSA yet.

ianlewis avatar Nov 09 '22 08:11 ianlewis