Software supply chain security is top of mind for many developers. It’s complex enough that the route to “more secure” is difficult to determine, especially in small open source projects that have a few contributors and minimal funding. Wouldn’t it be great if projects could easily adopt simple tooling that transparently provides tangible benefits to the developers and their users?
The Supply-chain Levels for Software Artifacts (SLSA) project is working to enable just that. We recently announced general availability of a trusted builder and verification tools for Go projects using GitHub Actions that helps projects implement SLSA Level 3.
SLSA is a framework for safeguarding the integrity of the software supply chain. SLSA Level 3, the second highest level, defines requirements for a tamper-resistant build service, which produces non-forgeable provenance metadata. SLSA provenance metadata is a generalization of code signing that details how an artifact was built, enabling users to comprehensively verify the artifact’s integrity.
The trusted builder is easily integrated into GitHub Actions workflows to perform the build per SLSA Level 3’s build requirements and generate non-forgeable provenance metadata that meets SLSA Level 3’s provenance requirements attesting to where and how the build occurred.
Users of projects that integrate the trusted builder can then use the paired verification tools to ensure that the artifacts they are using were produced from the expected source code repository reference. Verification is admittedly somewhat onerous for users today, but demonstrates the power of the SLSA provenance model. The SLSA project’s nascent Tooling Workstream will explore ways to simplify verification, perhaps through integration into existing artifact ingestion workflows.
Since the general availability announcement for the trusted builder, the pace of development has only increased. Now, in addition to the initially announced Go builder, the project has implemented a generic generator to achieve SLSA level 3’s provenance requirements and builders are currently in development for container images.
To learn more about how to start using trusted builders and generators with your GitHub projects, visit the announcement blog post or the project’s documentation (which also includes detailed technical design information for those who want to understand how the SLSA requirements are met).