🐳 Docker Scout •🚢 Docker Captain• 📦 NixOS • 💃SLSA GitHub Generator •🎤Amazing SSCS Events •🔑❌ Benefits of Keyless Signing• 🌟Achieving SLSA Level 2️⃣ with Tekton and Tekton Chains•🎖Newest Badges
🐳 Docker Scout is a new tool that analyses a software artifact for vulnerabilities, and yes it means that Docker Scan is now deprecated!
We already know that Docker plays a crucial role in securing software supply chains by providing features such as generating SBOM and SLSA provenance during the build with BuildKit v0.11, and scanning images, etc. Now, there is a new kid in the town `docker scout` that provides visibility into vulnerabilities and recommendations for quick remediation that was announced as one of the newest features released with Docker Desktop v4.17.
There is lots of amazing content about Docker Scout created.
Here is the first video about Docker Scout recorded by James Spurin 👇
Bret Fisher detailed Docker Scout in his newsletter!
And Ajeet Singh Raina wrote a blog post about Docker Scout for the first look!
🚢 I’m officially a Docker Captain now!
I am announcing for the first time that I have been accepted to the Docker Captain Program and I am the first Docker Captain from 🇹🇷! Since Docker is heading towards the software supply chain security space, I thought this might be the perfect opportunity for me to apply for this program because I am also interested in doing something and learning more about software supply chain security and it worked, they accepted me to join this program. I'm very excited about this role, I hope I can be worthy of it! If you are also willing to join the Docker Captain Program, here is the quick “How to Become a Docker Captain” guide by Ajeet Raina who is one of the Docker Captains.
💃 I made my first contribution to the SLSA 3 Go Builder workflow!
SLSA gives you a set of standards you can adopt to improve artifact integrity and gradually build toward completely resilient systems from level one to four. Unfortunately, there were not many ways to generate SLSA provenance for the software until `slsa-github-generator` which is a language-agnostic SLSA provenance generation for GitHub Actions was announced! The team behind this project announced the General Availability of the SLSA 3 Go native builder for GitHub Actions a while ago. While working on the Scorecard project that uses SLSA 3 Go Builder in its release workflow to add a verification step for the provenance, I noticed that we need to apply a workaround to get the provenance name generated and signed by the SLSA 3 Go Builder, so, I created a PR to add it to the outputs of that workflow to make getting the name of the provenance easier!
📦 Adding new packages to package repositories such as Wolfi OS and NixOS is fun!
I’ve been adding new packages to Wolfi OS for a while. It always has been fun to add new packages to package repositories and I highly recommend you do the same as well. Then I met NixOS and realized that packages I might be interested in are available on NixOS too. Here is a weekly summary of my participation in NixOS:
1️⃣ One of the first packages that I got involved with is cosign. I'm one of the contributors to the project for a while. Now, I'm one of the maintainers of that project in NixOS!
$ nix-env -iA nixpkgs.cosign2️⃣ The second project is Rekor which is one of the other successful projects maintained by the Sigstore. `rekor-cli` is a client CLI of the Rekor server. Now, I'm one o the maintainers of that project in NixOS!
$ nix-env -iA nixpkgs.rekor3⃣ Third package is gitsign. gitsign allows you to sign your commit messages by using Sigstore public-good services with a keyless approach. Now, I'm one o the maintainers of that project in NixOS!
$ nix-env -iA nixpkgs.gitsignand many more!
The experience I gain through the contributions I tried to bring in new packages into NixOS and I've added bom and slsa-verifier packages into NixOS!
🎤 Lots of amazing events have been announced during the week related to software supply chain security!
There will be another event you don't wanna miss from Chainguard: Come to SLSA with us!💃Look at these amazing speakers, each of them has played a crucial role in the SSCS ecosystem! This will be a great opportunity to listen to #SLSA from them.
There are only 5⃣ days left to one of my favorite⚡️Enlightning Talks⚡️ by Whitney Lee about Sigstore with Zack Newman and Lewis Denham-Parry.
If you haven't set your reminder, do not forget to do it now, you can thank me later☝️😅
I can truly say that there will be an amazing talk by Adolfo García Veytia and Patrick Flynn about #SBOM, #SLSA, #WolfiOS, and Sigstore OH MY waiting for you folx if you are lucky enough to be in Montreal, I highly recommend you to go to this event, I wish I could be there 😓
🔑❌ One of the unique things that Sigstore brings to the table is Keyless Signing!
There are several critical things you can benefit from keyless signing. First of all, it reduces the risks of compromise in the first place by eliminating the hassle of long-lived key management. Kaylin Trychon from Chainguard wrote a blog post that details the benefits of keyless signing:
TLDR;
• 🔐 Improved security: reduces the risk of key compromise
• 🐾 Enhanced traceability: an auditable record of the software signing process
•🤸 Increased flexibility: keys do not need to be present on the signing machine
•👯 Reduced reliance: multiple people can be authorized to sign
🙉 A new article just published on Google’s open-source blog about achieving SLSA Level 2 with Tekton and Tekton Chains!
Tekton chains is a supply chain manager for Tekton, basically, it is a standalone system that observes Pipelines and generates provenance for the artifacts built by Pipelines. I wrote a blog post about Tekton Chains in detail if you want to dig into this technology.
🎖 My badge collection is getting bigger and bigger day by day!
I was one of the committee members of the GitOpsCon + cdCon program this year! It was a very fun process to review all these amazing CFPs. I learned so many things from the other committee members during the discussion meetings. Again, I’d like to thank them all for having me.
That’s all for me today, I hope you enjoyed reading, and please do not forget to subscribe if you want to keep in touch with the recent newsletters, thanks in advance, and see you in the next issue! 🙉