Skip to content

Latest commit

 

History

History
46 lines (28 loc) · 2.14 KB

README.md

File metadata and controls

46 lines (28 loc) · 2.14 KB

Spice up your supply chain

A spicy workshop where you will learn about SLSA and how to get started securing your supply chain.

We will sign and verify an app using Cosign in a GitHub workflow.

Pre-requisites

What is SALSA?

Several initiatives have been started in an attempt to address the issues surrounding supply chain integrity, the most noticeable one being Supply chain Levels for Software Artifacts - SLSA. SLSA aims to be vendor neutral and is backed by major players like the Cloud Native Computing Foundation and Google in addition to startups such as Chainguard.

Cosign

Sigstore is a Linux Foundation project which is developing Cosign, a container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.

Kyverno

Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.

What is this workshop about?

In this workshop we will make a practical approach to securing your container applications and verify that the container has not been tampered with since it was built.

  • Setting up automated container builds
  • Signing containers using sigstore/cosign
  • Verifying signed containers using Kyverno
  • Working with Kyverno policy reports at scale

Overview

The workshop is divided into 4 labs:

  1. Setting up local environment
  2. Signing containers locally
  3. Signing containers in a GitHub workflow
  4. Verifying signed containers in a Kubernetes cluster
  5. Working with policies at scale

License

This project is licensed under the MIT License - see the LICENSE file for details.