#+HashtagPLUS
In

Menu

Post image 1
Post image 2
Post image 3
Post image 4
Post image 5
Post image 6
Post image 7
Post image 8
1 / 8
0

SLSA Provenance Hands-on: Generate with GitHub Actions, Verify with slsa-verifier

DEV Community·kt·about 1 month ago
#Yi4O8yAJ
#slsa#security#supplychain#github#provenance#verifier
Reading 0:00
15s threshold

Introduction I wrote Supply Chain Security: A Deep Dive into SBOM and Code Signing earlier. That post pinned down "what's in it" via SBOM and "who signed it" via Cosign. But even with both of those, there's still a hole. SolarWinds' SUNSPOT was malware that lived on the build server, swapped the source code the moment a build started, and put it back when the build finished. The resulting binaries were signed with the legitimate certificate. Signatures: perfect. SBOMs: clean. And the world still got a backdoor distributed to it. Why? Signatures only prove "I signed this with this key." SBOMs only describe "what was in the artifact at build time." Nobody was verifying "was this really built from the right source, on an unaltered builder, following the steps it claims?" The thing that closes that hole is Provenance . SLSA (Supply-chain Levels for Software Artifacts) is a framework built around provenance, treating "from where (source), how (build), by what (builder)" as verifiable metadata.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free accountLog in
Read More