mvalliath
commented
1 year ago Hi @ThomasVitale. Would you be willing to submit an RFC for this?
Open ThomasVitale opened 1 year ago
mvalliath
commented
1 year ago Hi @ThomasVitale. Would you be willing to submit an RFC for this?
ThomasVitale
commented
1 year ago Thanks for your comment, @mvalliath. I'm available to work on an RFC for this feature.
anthonydahanne
commented
1 year ago hello @ThomasVitale - I'm new to slsa; would it make sense to have an integration in buildpack distributions, such as paketo buildpacks ? (similar to SBOM generation from buildpacks)
As part of improving supply chain security, SLSA provides a framework to guarantee the integrity of software artefacts, with different levels of compliance.
One of the main concepts introduced by SLSA is the provenance "to trace software back to the source and define the moving parts in a complex supply chain". It's defined as "the verifiable information about software artifacts describing where, when and how something was produced".
It would be a great addition to kpack if the built OCI artefacts were not only signed, but also provided with a signed provenance attestation following the standard in-toto format. Such attestation would contain information about kpack itself, how the OCI image was built (for example, information about the used stacks and buildpacks) and where.
Examples of build tools that support SLSA provenance attestations are the following:
If there's interest for having such a feature in kpack, I'm available to help refining it.