⛓ in-toto and SLSA•🐙Wolfi OS Package Updates•🐳 Docker Builds and Multi-platform• ❌🔑 Keyless Signing for GitLab•💃SLSA v1.0 Release•🚨CNCF SLSA Assessments
⛓ A new blog post was published about in-toto and SLSA to give a better understanding of how these two are related to each other!
If you are interested in learning more about software supply chain security, most probably most of you have come across the terms in-toto attestations and SLSA provenance. But have you ever ask the question to yourself how these two are related to each other, let’s find out! Thanks to Aditya Sirish and Tom Hennen, they wrote a blog post to explain that.
🐙 Day by day, the Wolfi OS package repository is getting bigger!
For people who are not familiar with the Wolfi OS, Wolfi OS is the first Linux (Un)distro designed for securing the software supply chain designed for the container and cloud-native era. Here's Dan Lorenc's quick guide to understanding the unique things that Wolfi OS brings to the table of securing software supply chain security for container images.
We (w/ Furkan Türkal) are constantly adding new packages to Wolfi OS, here are some of them:
There are lots of packages still waiting to be added to Wolfi OS which means that all contributions would be very welcomed 🚀
🐳 Docker introduced new best practices guide for container image builders for people of all levels from beginner to advanced, check this out!
Docker created a guide for giving people useful pointers and the best practices for Docker’s build features and this guide definitely should be with you as one of your handbooks when you start building container images for your projects whether you are just getting started or already an advanced Docker user!
❌🔑 Keyless Signing support for cosign has been enabled on the staging environment for GitLab CI!
Keyless signing is one of the unique things that the Sigstore community brings to the table and has been used for a long time in the GitHub Actions platform since GitHub announced OIDC support. Now, keyless signing can be used in the GitLab CI as well, thanks to the Sigstore community, this support has been rolled out to staging, please use it and share your feedback with the community!
Also, Carlos Panato already created an example that shows how to use this support on GitLab CI.
💃 SLSA v1.0 was released!
In recent weeks, SLSA v1.0 was released and lots of great resources were created to explain what the new things are in the v1.0 release.
A blog post was published on Google’s security blog:
➡️ Celebrating SLSA v1.0: securing the software supply chain for everyone
Also, Cloudsmith made a live webinar to discuss what’s SLSA 1.0 mean for us:
➡️ SLSA 1.0 is here! What’s it mean for you?
🌟 There is even a tracking issue created to document all the projects that currently support SLSA provenance generation today such as Docker Buildx, Tekton Chains, Sigstore cosign, and many more.
➡️ Tracking issue for draft SLSA 1.0 support in tools
🚨 CNCF is working to improve the software supply chain security for the graduated projects hosted by itself!
CNCF worked in collaboration with Chainguard to assess the software supply chain security practices of two of our graduated projects, Argo and Prometheus based on Supply-chain Levels for Software Artifacts (SLSA), which provides a framework for software supply chain integrity. Here is the blog post that can give you the details:
➡️ Building secure software supply chains in CNCF with SLSA assessments
