Set up software supply chain security

[youngnick]

This issue covers setting up a secure supply chain for all the software we provide, both for Kubernetes and non-Kubernetes use cases.

In particular, #83 has some setup for how we will push a container image to Docker hub, that we need to review to ensure that it works with securing our software supply chain.

[youngnick]

I've started looking into this, and it seems like the easiest way to do this actually involves setting up goreleaser, and then using https://github.com/slsa-framework/slsa-github-generator to generate the provenance information.

There's even a new Github action (described in https://slsa.dev/blog/2022/06/slsa-github-workflows) that can handle provenance generation.

~That will mean moving our builds to goreleaser though, so I'll open an issue to discuss that too.~

[youngnick]

There are other options as well - ko can already generate an SBOM, which is a key part of fulfilling SLSA level 3, but it seems like the github generator above would be the fastest.

[youngnick]

I'm going to spend some more time talking to some of the folks involved in the various projects, and see what they recommend and what's the most complete. A lot of this is still either very new or still being built, but I think that's another reason why us implementing it will be useful for others.

[arkodg]

thanks for raising this @youngnick . would like to wait for some more guidance from CNCF https://github.com/cncf/tag-security/issues/895 before making a decision especially for Container Image SBOM. I see a lot of WIP in this space (https://github.com/moby/buildkit/issues/2773).

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.