Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blog: Add blog post on Tekton Chains and IBM DevSecOps #1048

Merged
merged 6 commits into from
Jun 11, 2024
Merged

blog: Add blog post on Tekton Chains and IBM DevSecOps #1048

merged 6 commits into from
Jun 11, 2024

Conversation

lehors
Copy link
Member

@lehors lehors commented Apr 21, 2024
edited
Loading

As discussed on a recent call, Tekton Chains supports SLSA Provenance v1 but the configuration isn't the most straightforward. This post highlights support for SLSA and gives people the right configuration to use to get the v1 format. It also informs people that IBM has an offering based on this technology and gives them a few pointers to the relevant documentation.

@netlify Netlify
Copy link

netlify bot commented Apr 21, 2024
edited
Loading

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit 44f3e5c
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/6641ab3d7081a40008ba4b0b
😎 Deploy Preview https://deploy-preview-1048--slsa.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@lehors lehors changed the title Add blog post on Tekton Chains and IBM DevSecOps blog: Add blog post on Tekton Chains and IBM DevSecOps Apr 21, 2024
lehors added 2 commits April 21, 2024 11:59
@lehors
Fix formatting
029eaa4 
Signed-off-by: Arnaud J Le Hors <[email protected]>
@lehors
Fix links to slsa.dev
e409802 
Signed-off-by: Arnaud J Le Hors <[email protected]>
@lehors
Reword some of the text
c885477 
Signed-off-by: Arnaud J Le Hors <[email protected]>
@lehors lehors requested a review from arewm April 26, 2024 20:04
@lehors lehors requested a review from joshuagl May 3, 2024 15:22
@lehors lehors requested a review from david-a-wheeler May 3, 2024 20:07
@david-a-wheeler
Copy link
Member

Overall looks fine, see my comments above.

@lehors
Address comments
44f3e5c 
Signed-off-by: Arnaud J Le Hors <[email protected]>
@lehors
Copy link
Member Author

lehors commented May 13, 2024

Overall looks fine, see my comments above.

Thanks @david-a-wheeler for your careful review, I've accepted all your proposed changes.

@lehors
Copy link
Member Author

lehors commented May 17, 2024

@david-a-wheeler can you please approve so this can be merged? Thank you.

joshuagl
joshuagl approved these changes Jun 11, 2024
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great post. It would be even better if it mentioned how to verify artefacts not just the signature on the produced attestation.

docs/_posts/2024-04-16-tekton-chains-ibm-devsecops.md

I'm happy to say that the configuration of IBM DevSecOps is a bit more straightforward than that of Tekton Chains and one can simply set the `slsa-attestation` parameter to `1` to get the build platform to produce SLSA attestations in the Provenance v1 format.

You can then use [cosign](https://github.com/sigstore/cosign) to verify the signature on the produced attestation.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about verifying the artefacts themselves (through provenance)? Is that done with cocao locker evidence check?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know, this is currently "left as an exercise to the reader" so to speak. :-) But I agree with you that this should be addressed. I'll merge this now because it's been sitting there for a long time already and I'll post an update ASAP.
Thanks for your review!

@lehors lehors merged commit bee177a into slsa-framework:main Jun 11, 2024
6 checks passed
Nikokrock pushed a commit to Nikokrock/slsa that referenced this pull request Jun 13, 2024
@lehors @Nikokrock
blog: Add blog post on Tekton Chains and IBM DevSecOps (slsa-framewor…
f07748b 
…k#1048)

As discussed on a recent call, Tekton Chains supports SLSA Provenance v1
but the configuration isn't the most straightforward. This post
highlights support for SLSA and gives people the right configuration to
use to get the v1 format. It also informs people that IBM has an
offering based on this technology and gives them a few pointers to the
relevant documentation.

---------

Signed-off-by: Arnaud J Le Hors <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david-a-wheeler david-a-wheeler david-a-wheeler left review comments

@arewm arewm arewm approved these changes

@joshuagl joshuagl joshuagl approved these changes

@MarkLodato MarkLodato MarkLodato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Issue triage
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lehors @david-a-wheeler @MarkLodato @joshuagl @arewm