slsa icon indicating copy to clipboard operation
slsa copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

SLSA Compliance Program

Open SecKatie opened this issue 2 years ago • 9 comments

Doc: https://docs.google.com/document/d/1iWjO4UGcGm0PeCm9mbqeT-PiD4z4S7qXMaZsGIFUn0s/edit Presentation: https://docs.google.com/presentation/u/0/d/1oQoJYy9aCGvnEi43NtgSEfuw3IZbYRuapKFrwSceudA/edit

Background

The Supply Chain Levels for Software Artifacts (SLSA) framework provides a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. A compliance program that gives explicit permission for organizations to assert their compliance with the SLSA program will allow companies to utilize their security efforts in marketing and allow consumers to evaluate their suppliers effectively

The SLSA Compliance Program utilizes several common industry patterns to give consumers and businesses a transparent understanding of their rights and obligations when asserting compliance with the SLSA framework. This is provided through a self-assessment compliance program and an accredited third-party compliance program that are structured into tiers.

Next Steps

  • [x] Define the scope of the program - Decision: Initial Scope - Build Systems
    • [x] Let’s clarify what types of things would be certified: projects, repositories, practices, artifacts, suppliers, toolchains, closed source, etc.
  • [x] Discuss in the specification SIG
  • [x] Integrate compliance into requirements #572
  • [ ] Create certification and registry page #590
  • [ ] Standardize builder signing

SecKatie avatar Oct 20 '22 17:10 SecKatie

👍. We also need to figure out how to incorporate it into the specification.

MarkLodato avatar Oct 24 '22 15:10 MarkLodato

Thank you for working on this!

I like the two-tiered proposal, getting folks (and process) up and running with a self assessment while we figure out third-party feels like a sound approach.

The self-assessment process reminds me of the OpenSSF Best Practices badge and their model of a web application to complete the form may make sense? https://bestpractices.coreinfrastructure.org/en

I also wanted to link to a discussion around an attestation predicate for human reviews of artefacts happening in the in-toto attestation repository

  • https://github.com/in-toto/attestation/issues/77

joshuagl avatar Nov 07 '22 17:11 joshuagl

For reference here is the SLSA Compliance Assessment that is in use by the Kubernetes community for their SLSA efforts https://github.com/kubernetes/enhancements/issues/3027

tracymiranda avatar Nov 14 '22 17:11 tracymiranda

A major value area would be that organizations and projects can select a build system that allows them to comply with SLSA. For the first iteration, I think that is the best starting point for providing our badges and putting guardrails up.

In the Specification Meeting on November 14th 2022 we discussed this as a decision point for the first effort so that we can properly scale the scope of work and an MVP of a self-attestation survey.

Decision: The conformance program will initially target Build Systems

Next Steps:

  • [ ] Select requirements that require the cooperation or technical support of the build system
  • [ ] Create a questionnaire that attests to the selected requirements
  • [ ] Identify the level of SLSA that build platforms can attest to
  • [ ] Establish branding that can be provided to Build Platforms
  • [ ] Work with legal to define agreements and requirements

SecKatie avatar Nov 14 '22 18:11 SecKatie

I'm one of the maintainers of https://github.com/slsa-framework/slsa-verifier. We'd be interested in incorporating builder levels that come out of Identify the level of SLSA that build platforms can attest to` (https://github.com/slsa-framework/slsa-verifier/issues/158 and https://github.com/slsa-framework/slsa-verifier/issues/84)

laurentsimon avatar Nov 16 '22 18:11 laurentsimon

Hi, I'm not totally sure where the discussion for this takes place. I added a few comments to the google doc.

lehors avatar Nov 22 '22 15:11 lehors

Removing this from the v1.0 tracker since we're moving it outside the spec.

MarkLodato avatar Mar 06 '23 16:03 MarkLodato

This fell a bit by the wayside as we prepared for v1.0-RC2.

@JoshuaMulliken and I met with a member of the Linux Foundation to discuss setting up a conformance program. The basic steps are:

  1. Create some sort of test we can use to determine a build system's SLSA conformance. The kubernetes program uses a test suite, but in our case it's likely to be a questionnaire or checklist filled out by hand.
  2. Draft terms for the conformance program. IIUC, the way it would work is that we would have a badge that we license out to build systems that conform to the SLSA spec.
  3. Create a badge to license under the terms in step 2.

We've drafted a sample questionnaire and terms of service for the conformance program. Please feel free to comment, especially on the questionnaire: https://docs.google.com/document/d/1r6jM84mTa1dBJ6-KTPJKzCPUQ3GA8BuDIzFjbVfH7P8/edit?usp=sharing

kpk47 avatar Apr 05 '23 20:04 kpk47

I've posted a proposal at https://github.com/slsa-framework/slsa-proposals/pull/9

kpk47 avatar May 01 '23 17:05 kpk47