diff --git a/content/en/flux/security/slsa-assessment.md b/content/en/flux/security/slsa-assessment.md new file mode 100644 index 000000000..97b604df6 --- /dev/null +++ b/content/en/flux/security/slsa-assessment.md @@ -0,0 +1,135 @@ +--- +title: "SLSA Assessment" +linkTitle: "SLSA Assessment" +description: "Flux assessment of SLSA Level 3 requirements." +weight: 140 +--- + +## Introduction + +Supply Chain Levels for Software Artifacts, or SLSA (pronounced "salsa"), +is a security framework which aims to prevent tampering and secure artifacts in a project. +SLSA is designed to support automation that tracks code handling from source to binary +protecting against tampering regardless of the complexity of the software supply chain. + +Starting with Flux version 2.0.0, the source, build, and provenance portions of the Flux +project supply chain provisionally meet [SLSA Level 3](https://slsa.dev/spec/v0.1/levels). + +## SLSA Requirements and Flux Compliance State + +What follows is an assessment made by members of the Flux core maintainers team +on how Flux v2.0 complies with the SLSA Level 3 requirements as specified by +[SLSA v0.1](https://slsa.dev/spec/v0.1/levels). + +### Source Requirements + +| Requirement | Required at SLSA Level 3 | Met by Flux | +|-----------------------|------------------------------|-------------| +| Version controlled | Yes | Yes | +| Verified history | Yes | Yes | +| Retained indefinitely | Yes (for 18 months or above) | Yes | + +#### Motivation + +- The Flux project uses Git for source code management. +- All the Flux project's Git repositories are hosted on GitHub under the FluxCD organization. +- All the Flux maintainers are required to have two-factor authentication enabled and to sign-off all their contributions. +- All changes are made transparently using GitHub Pull Requests where only the Flux maintainers can approve and merge contributions to the project. +- The Flux project enforces that code changes are to be approved by at least one maintainer. +- The project enforces that substantial changes to Flux must follow an [RFC process](https://github.com/fluxcd/flux2/blob/main/rfcs/README.md), RFC PRs must be approved by at least two maintainers. + +### Build Requirements + +| Requirement | Required at SLSA Level 3 | Met by Flux | +|-----------------------|--------------------------|-------------| +| Scripted build | Yes | Yes | +| Build service | Yes | Yes | +| Build as code | Yes | Yes | +| Ephemeral environment | Yes | Yes | +| Isolated | Yes | Yes | + +#### Motivation + +- The Flux project uses GitHub Actions and GitHub Runners for building all its release artifacts. +- The build and release process runs in isolation on an ephemeral environment provided by GitHub-hosted runners. +- The build and release process is defined in code (GitHub Workflows and Makefiles) and is kept under version control. +- The GitHub Workflows make use of GitHub Actions pinned to their Git commit SHA and are kept up-to-date using GitHub Dependabot. +- All changes to build and release process are done via Pull Requests that must be approved by at least one Flux maintainer. +- The release process can only be kicked off by a Flux maintainer by pushing a Git tag in the semver format. + +### Provenance Requirements + +| Requirement | Required at SLSA Level 3 | Met by Flux | +|-------------------|--------------------------|-------------| +| Available | Yes | Yes | +| Authenticated | Yes | Yes | +| Service generated | Yes | Yes | +| Non-falsifiable | Yes | Yes | + +#### Motivation + +- The Flux project uses the official [SLSA GitHub Generator project](https://github.com/slsa-framework/slsa-github-generator) for provenance generation. +- The provenance is signed by GitHub OIDC identity and the public key to verify the provenance is stored in the public [Rekor transparency log](https://docs.sigstore.dev/rekor/overview/). +- The release process and the provenance generation runs in isolation on an ephemeral environment provided by GitHub-hosted runners. + +### Provenance Content Requirements + +| Requirement | Required at SLSA Level 3 | Met by Flux | +|-------------------------------|--------------------------|-------------| +| Identifies artifact | Yes | Yes | +| Identifies builder | Yes | Yes | +| Identifies build instructions | Yes | Yes | +| Identifies source code | Yes | Yes | +| Identifies entry point | Yes | Yes | +| Includes all build parameters | Yes | Yes | + +#### Motivation + +- The provenance for the release assets published to GitHub releases (binaries, SBOMs, deploy manifests, source code) is generated using the `generator_generic_slsa3` GitHub Workflow provided by the [SLSA GitHub Generator project](https://github.com/slsa-framework/slsa-github-generator). +- The provenance for the release assets published to GitHub Container Registry and to DockerHub (Flux controllers multi-arch container images) is generated using the `generator_container_slsa3` GitHub Workflow provided by the [SLSA GitHub Generator project](https://github.com/slsa-framework/slsa-github-generator). +- The provenance of the Flux assets hosted on GitHub releases page can be verified using the official [SLSA verifier tool](https://github.com/slsa-framework/slsa-verifier) with the `slsa-verifier verify-artifact` command. +- The provenance of the Flux controllers container images hosted on GHCR and DockerHub can be verified using the official [SLSA verifier tool](https://github.com/slsa-framework/slsa-verifier) with the `slsa-verifier verify-image` command. + +## Provenance verification + +The provenance of the Flux controllers container images hosted on GitHub Container Registry +and DockerHub can be verified using the official [SLSA verifier tool](https://github.com/slsa-framework/slsa-verifier) +and [Sigstore Cosign](https://github.com/sigstore/cosign). + +### Example + +We will be using the [helm-controller](https://github.com/fluxcd/helm-controller) container image hosted on GHCR for this example, +but these instructions can be used for all Flux controllers container images. + +First, we need to find the digest of the image we want to verify: + +```console +$ crane digest ghcr.io/fluxcd/helm-controller:v0.34.2 +sha256:f97672c005dcfa4d03d76b2fd4063cd9015d9bd088c1c0f50b64e8dba5e37d1e +``` + +Using the digest, we can now verify the provenance of the Flux controller by specified its repository and version: + +```console +$ slsa-verifier verify-image ghcr.io/fluxcd/helm-controller:@sha256:f97672c005dcfa4d03d76b2fd4063cd9015d9bd088c1c0f50b64e8dba5e37d1e --source-uri github.com/fluxcd/helm-controller --source-tag v0.34.2 +Verified build using builder https://github.comslsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.7.0 at commit 06979867d50edf49ea335fe960cdb9b1d4928a8d +PASSED: Verified SLSA provenance +``` + +Using Cosign, we can verify the SLSA provenance attestation by specified the workflow and the GitHub OIDC issuer: + +```console +$ cosign verify-attestation --type slsaprovenance --certificate-identity-regexp https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v --certificate-oidc-issuer https://token.actions.githubusercontent.com ghcr.io/fluxcd/helm-controller:v0.34.2 +Verification for ghcr.io/fluxcd/helm-controller:v0.34.2 -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The code-signing certificate was verified using trusted certificate authority certificates +Certificate subject: https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.7.0 +Certificate issuer URL: https://token.actions.githubusercontent.com +GitHub Workflow Trigger: push +GitHub Workflow SHA: 06979867d50edf49ea335fe960cdb9b1d4928a8d +GitHub Workflow Name: release +GitHub Workflow Repository: fluxcd/helm-controller +GitHub Workflow Ref: refs/tags/v0.34.2 +```