Building SLSA 3 Conforment Attestors for Artifacts Generated on GitHub
May 01, 2023
34 min
Free
slsa
supply-chain-security
github-actions
software-supply-chain
provenance
attestation
container-images
ci-cd
open-source-security
build-automation
security-frameworks
Description
Supply chain Levels for Software Artifacts, or SLSA, is a security framework to reason about and improve the integrity of released artifacts. This talk explores how to build SLSA 3 conformant attestors for artifacts generated on GitHub. The presenters discuss a framework that allows wrapping existing tools (like binaries, GitHub Actions, or containers) into SLSA compliant attestors with minimal effort. They showcase examples using package managers like npm and Maven, and share lessons learned and challenges faced. Attendees will gain the knowledge to make their tools attest to their output using SLSA provenance.