slsa icon indicating copy to clipboard operation
slsa copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Practical document describing how to achieve SLSA compliance with GitHub

Open joshuagl opened this issue 3 years ago • 6 comments

Start capturing a cookbook/recipe for how to use GitHub features to meet as many SLSA requirements as possible.

Several folks are hearing about SLSA for the first time thanks to a strong representation at KubeCon and similar, while SLSA is fresh in their mind it would be good to help them understand how to achieve SLSA compliance with the tools they are using today.

For many open source projects, the tools in use are GitHub.

This will be a living document because things are changing quickly in this space as SLSA gains traction, tooling is developed and platforms evolve.

Originally posted by @joshuagl in https://github.com/slsa-framework/slsa/issues/180#issuecomment-942451836

joshuagl avatar Oct 18 '21 11:10 joshuagl

GitHub is great, but for many folks their CI systems are different. It would be nice to have a common library that can interface with these systems. For example, generating provenance files not only for GitHub Actions, but also for other common build tools.

I am not saying create a new library that will interact with each individual tool, but have something abstracted enough that gives most generic types for generating provenance and can be expanded by the library consumers.

hi-artem avatar Oct 18 '21 23:10 hi-artem

We most definitely want to have generic libraries which can generate attestations for integration into different CI/CD and build platforms. Is there a particular language you are looking for?

There is support today in in-toto-golang for creating attestations and SLSA provenance predicates (see model). There are also some WIP PRs to add attestations and provenance predicates to in-toto-python and in-toto-java.

joshuagl avatar Oct 19 '21 10:10 joshuagl

We now have several ways to generate provenance so we should have a proper guide on the site:

  • GitHub Actions: https://github.com/slsa-framework/github-actions-demo
  • Azure Pipelines: https://github.com/slsa-framework/azure-devops-demo (thanks @gattjoe!)
  • Buildkite: https://github.com/hi-artem/provenance-generator-buildkite-plugin (thanks @hi-artem!)
  • Tekton: https://github.com/tektoncd/chains (is this the best link?)
  • Google Cloud Build: https://cloud.google.com/build/docs/securing-builds/use-provenance-and-binary-authorization (is the best link?)

Should we expand this issue to cover all these, or file a separate issue?

MarkLodato avatar Oct 19 '21 13:10 MarkLodato

@joshuagl @MarkLodato Got it! So, maybe we should improve docs to mention those libraries(especially in-toto-golang) /projects? I think it would be helpful for people starting with SLSA to have a way to generate provenance without having to script the whole json generation themselves. This would also allow for easier upgrades in the future, if all the provenances generated using the common library.

hi-artem avatar Oct 20 '21 15:10 hi-artem

Agreed, I think we should add documentation calling out these libraries/implementations. I think it's out of the scope of the issue here (to document a GitHub case study), so perhaps we should create a separate issue or re-scope this one (given the discussion) and create a new issue for the original case-study idea.

I just discovered another SLSA provenance generating Github Action we might want to link to https://github.com/philips-labs/slsa-provenance-action

joshuagl avatar Oct 22 '21 10:10 joshuagl

R.e.: https://github.com/slsa-framework/slsa/issues/185#issuecomment-946733812 Rel: #124

devmoran avatar Nov 24 '21 15:11 devmoran