►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Spicing up Container Image Security with SLSA & GUAC - Ian Lewis, Google
Understanding and verifying the content of images that you deploy in production environments is difficult and error prone. Images could be built in an insecure environment, by a malicious actor, or include dependencies that are insecure. Users often don't have enough information to determine if images are trustworthy. Two new tools can help; Supply chain Levels for Software Artifacts (SLSA), and Graph for Understanding Artifact Composition (GUAC). In this talk attendees will learn how to add SLSA provenance metadata to their container images and strongly link images back to their source code on multiple build systems including GitHub Actions and Google Cloud Build. We will also cover how to verify images and their metadata before use; both when running locally and when running images in Kubernetes. Using policy engines like Kyverno and Sigstore policy-controller we can verify an image's source code repository, builder identity, build entry points, and more to protect production environments from malicious images. Finally we'll discuss how to understand your image's supply chain using GUAC. We'll discuss how we can combine SLSA with GUAC to better understand the contents and build provenance of your images from the base layers on down.
A
A
A
I
want
to
start
by
I,
guess
kind
of
level
setting
a
little
bit
and
give
a
little
bit
of
context
for
like
why
some
of
the
things
I'm
going
to
be
talking
about
are
important
like
why
we're
doing
these
things
in
the
first
place.
So
hopefully,
this
kind
of
like
gives
you
an
idea
of
like
why
some
of
these
things
or
how
some
of
these
things
are
actually
solving
problems
in
the
real
world
and
because
it's
really
easy
to
get
lost
in
the
details.
But
essentially
you
know
software
supply
chain.
A
But
it's
good
to
know
that
there's
a
little
bit
of
context
here
for
like
why
we're
talking
about
these
things
and
another
like
kind
of
overarching
theme,
is
that
there's
a
lack
of
information
about
the
the
software
that
we
consume.
So
as
we
develop
these
things
we
and
we
consume
software,
we
download
it.
A
A
But
how
do
you
know
that
that
artifact
was
actually
built
from
the
source
code
in
that
repo
there's?
No
real
guarantees
for
that,
and
similarly
like
this
is
even
worse
in
the
cases
of
where
the
software
is
being
distributed
on
a
totally
different
platform,
for
example,
Docker
Hub
or
you
know,
on
GCR
or
on
like
other
container
registries.
A
We
won't
actually
solve
that
particular
problem,
but
the
the
that's
kind
of
one
of
the
root
root
problems
for
this,
but,
like
also
like,
is
the
actual
image
say
like
Ian
Lewis
Foo,
that's
on
Docker
Hub,
the
same
or
built
from
the
source
code.
That's
in
the
Ian
Lewis
Foo
repository
on
on
GitHub,
for
example,
and
how
do
you
know
that?
How
can
you
verify
that?
That's
actually
the
case
so
essentially
like?
How
do
you
know
like
how
the
sausage
is
made?
How
like
what
goes
into
the
food
that
you're
eating?
A
How
do
you
like
kind
of
maintain
some
of
that
hygiene?
That's
a
pretty
difficult
thing
right.
So,
for
example,
let's
say
like
that
we
have
a
software
repository
right
like
we
have
a
a
GitHub
repository.
We
have
the
salsa
and
guac
demo
right
a
repository
here,
and
we
want
to
be
able
to
run
this
as
a
container
right
and
but
we're
we're
going
to
first
take
a
look
at
the
source
code.
We've
kind
of
found
this
thing
out
there
that
looks
like
we're
it
does
what
we
want
it
to
do.
A
Right,
we'll
look
at
the
source
code
here,
we'll
say
like
okay:
this
is
going
to
like
pronounce
some
version,
information
right,
it'll
print
out
the
git
version
and
what
tag
it
was
built
from
and
things
like
that.
That's
cool!
That's
what
I
want
right
and
we
can
even
kind
of
look
on
Docker
Hub
and
see
that
we
found
a
an
image
there.
That's
built
by
a
guy
named
Ian
Lewis
and
it
looks
like
it's
the
same
name.
A
A
We
can
actually
click
on
this
tag
and
see
like
some
of
the
image
layers
right.
If
we
look
at
our
Docker
file,
you
can
see
like
okay.
This
is
a
a
a
two-step
build,
so
we
can
only
see
the
the
second
half
of
this,
but
we
can
see
that
these
steps
here,
you
know,
line
up
with
the
steps
that
are
that
are
present
in
the
docker
image.
A
Okay,
this,
like
pretty
much,
looks
good
right
like
this
is
something
that
like
looks
like
it's
linked
to
this
repository.
You
know
it
was
built
from
this
repository
and
all
that,
but
if
we
actually
like
go
and
try
to
run
this-
and
this
is
like
just
a
Docker-
run
command
to
to
run
it-
you
know
this
is
essentially
like
building
and
running
code.
A
Also
like
the
the
names
don't
need
to
necessarily
match
up
like
somebody
could
just
make
up
their
own
account
on
Docker
Hub
or,
for
example,
like
the
account
credentials
could
be,
have
been
leaked
or
gotten
out
on
Docker
hub,
for
example.
So
you
could
have
like
a
personal
access
token
that
was
Excel
traded
or
it
was
compromised
and
that
allowed
an
attacker
to
upload
an
image.
A
A
I
am
actually
Ian
Lewis
or
that
might
the
statement
that
I
said
is
correct
right,
like
my
passport
or
like
some
statement
that
I've
actually
signed
with
my
own
signature
right.
So
in
the
case
of
software,
what
we're
going
to
do
is
we're
going
to
actually
use
some
metadata
which
we'll
call
provenance
that
comes
from
that
describes,
information
about
how
the
software
was
built
and
where
it
was
built
and
we're
going
to
combine
that
with
cryptographic,
signing
and
identity
in
order
to
create
a
software
access
station.
A
So
essentially
the
identity
is
going
to
be
either
a
person
or
some
kind
of
workload,
for
example
a
machine
identity.
What
people
call
a
machine
identity,
but
essentially
this
is
an
abstract
identity,
and
then
you
combine
that
the
identity
then
signs
this
this
metadata
to
say
that
it's
asserting
that
it's
true
and
then
that
attestation
can
then
be
verified
by
the
consumer
when
they're
actually
consuming
the
the
software.
A
So
one
of
the
the
big
things
is
that
people
say
like
kind
of
throw
these
terms
around
a
lot,
but
like
I
like
to
think
of
attestation
as
being
something
that
you
can
actually
verify
in
a
strong
way
so
like
it
needs
to
be
signed
by
somebody,
and
it
needs
to
make
sense
right
if
you
don't
have
an
identity
that
says
like
hey.
This
is
the
thing
that
signed
it
like.
A
So,
as
kind
of
a
building
on
that
topic
right,
we
have
the
idea
of
kind
of
software
attestations
but
who's
kind
of,
like
in
the
context
of
building
software
and
deploying
software
who's,
actually
kind
of
attesting
to
what
and
like
what
are
you
actually
going
to
be
attesting
to
so.
Basically,
what
happens
is
when
you're
going
to
do
a
build.
The
build
system
will
essentially
attest
to
the
fact
that
that
build
was
run,
that
it
built
that
or
ran
that
build
right.
A
So
the
build
system
is
essentially
some
sort
of
machine
Identity
or
has
some
sort
of
machine
identity,
and
then
that
is
used
to
essentially
make
the
attestation
which
says
that
I
ran
this
build
I
used
this
source
code,
I
got
this
artifact
out,
and
so
when
you
consume
the
artifact,
you
can
verify
that.
Okay,
this
is
the
same
artifact
that
was
built
by
this
and
is
described
by
this
out
of
the
station.
A
So
you
can
verify
that
that
artifact
was
actually
built
by
that
build
system
at
a
particular
time,
using
particular
source
code,
and
we
make
sure
that
we
are
cryptographically
signing
this
so
that
we
can
sign.
So
that
we
can
verify
this
in
a
very
strong
way
that
we
actually
know
we
don't
have
to
like
do
signature
like
human
level,
signature
comparisons
or
anything
like
that.
It's
not
a
it's
a
very
objective
rather
than
subjective
process.
A
Another
like
issue
here
is
that
we
need
to
make
sure
that
the
build
System
since
the
build
system
itself
is
attesting
to
running
the
build
that
the
build
itself
isn't
actually
doing
the
attestation
right.
So
it
in
the
sense
that
we
need
to
have
the
build
system
needs
to
have
some
level
of
separation
or
isolation
from
the
build
itself,
because
effectively
you
get
like
a
softer
equivalent
of
a
conflict
of
interest.
A
If
the
build
itself
is
attesting
to
the
fact
that
it
was
run
right
like
it
could
essentially
make
up
whatever
it
wants
to
at
that
point
right,
so
so
the
build
system
it
needs
to
be
trustworthy
right.
We
need
to
make
sure
that
we
trust
the
build
system
itself,
and
so,
if
the
build
itself
like
could
be
running
any
kind
of
software,
we
need
to
make
sure
that
the
the
build
system
that
we
trust
is
actually
the
thing.
That's
making
that
a
station.
A
And
then
we're
going
to
combine
these
the
different
ideas
right
together,
along
with
Sig,
store
and
you've,
heard
a
lot
about
six
store,
I'm
sure
during
the
conference
I'm
not
going
to
go
too
detailed
into
it,
but
effectively.
A
six-store
is
a
a
set
of
tools
that
allow
you
that
we're
going
to
use
for
Keeley
signing.
A
And
what
that
allows
us
to
do
is
take
essentially
an
identity,
the
identity
from
the
the
machine
identity
from
the
build
system
and
use
that
identity
to
Mint
a
new
cert
or
to
use
the
use
a
certificate
Authority
in
this
case,
folkio,
which
is
the
Sig
store
service,
to
create
a
new
certificate
that
is
short-lived
and
is
only
going
to
be
used
by
the
the
build
system.
One
time
in
order
to
start
to
sign
our
provenance.
A
So
that
basically
allows
us
to
take
the
key
sign
the
provenance
and
then
throw
away
the
private
key.
We
don't
need
it
anymore,
because
we're
only
going
to
use
it
one
time
and
then
the
public
key.
What
we
can
do
is
upload
that
to
another
service,
six
door
service
called
wrecker
with
that
we
can
then
allow
like
create
a
log
of
when
the
key
was
created
and
then
allow
that
allow
us
to
also
retrieve
that
certificate
later.
A
When
we
need
to
verify
so
effectively,
we
don't
have
to
really
keep
the
key
around
the
private
key
around.
We
can
keep
the
public
key.
We
can
put
that
in
a
log
service
that
we
can
then
use
to
pull
down
and
verify
it,
and
so
we
don't
actually
need
to
store
the
keys
anywhere
in
our
actual
build
system.
We
can
essentially
be
keyless
in
that
sense.
A
A
Let's
talk
a
little
bit
more
about
the
concrete,
like
way
that
we're
going
to
implement
some
of
the
some
of
these
ideas,
and
so
what
we're
going
to
do
is
like
apply
some
of
these
ideas
or
one
application
of
these
ideas
is
in
the
supply
chain
levels
of
software
RTX.
So
this
is
the
salsa
framework
and
The
Souls
of
framework
is
essentially
a
framework
that
is
used
to
Define
a
set
of
requirements
or
levels
that
Define
like
an
increasing
set
of
security
requirements.
A
So
right
now
it
has
a
like
levels
defined
one
through
four,
which
are
progressively
more
secure,
more
hardened
levels
of
security
for
a
build
system,
and
these
are
make
it
so
that
it's
like
increment,
incrementally
adoptable.
So
each
level
has
a
set
of
requirements
and
those
get
more
stringent,
as
you
go
up
the
the
the
levels.
A
This
also
said
some
things
like
common
terminology.
So
when
we
talk
about
provenance,
we
kind
of
know
what
we're
talking
about.
When
we
talk
about
like
signing
and
keyless,
we
kind
of
know
what
we're
talking
about
like
I,
guess,
keyless
isn't
really
necessarily
defined
by
salsa,
but
it
defines
a
bunch
of
common
terminology
that
can
be
used
for
for
build
systems
and
for
supply
chain
security.
A
That
is
because
this
gives
us
a
level
of
isolation
from
the
actual
build
part
of
the
system.
So
when
you
build
something,
you
can
separate
the
build
process
and
the
generation
and
signing
of
provenance
into
separate
build
jobs
that
are
effectively
isolated
from
each
other
right
to
run
in
different
VMS,
and
so
what
we
have.
As
part
of
this,
we
have
a
number
of
reasonable
workflows.
One
is
the
language
agnostic
kind
of
generic
generator.
We
call
the
generic
generator.
A
This
is
like
a
a
workflow
that
you
can
use
to
generate
provenance
mostly
for
file
based
artifacts,
so
things
like
binaries
things
like
s-bombs.
Maybe
that
type
of
thing
we
have
another
workflow
called
the
container
generator,
which
we've
just
essentially
G8,
and
so
we
are
basically
saying
that
this
is
stable
and
this
is
also
used
for
container
artifacts,
and
this
is
partly
to
make
it
so
that
it's
easier
to
integrate
with
all
of
the
other
Sig
store,
tooling.
A
Around
containers,
as
well
as
like,
have
support
for
things
like
uploading,
the
r,
the
attestations
to
The
Container
registry.
Alongside
of
the
containers
themselves,
so
it's
easily,
you
can
easily
get
the
the
provenance.
We
also
have
a
go
builder
for
go
projects
which
allows
you
to
build
and
generate
prominence
kind
of
in
one
step.
A
We
also
have
a
project
called
the
salsa
verifier
project,
which
is
used
to
verify
the
provenance
that's
generated
by
these
Builders.
So
this
verifier
project
is
essentially
a
command
line
tool
which
will
verify
the
provenance
for
trusted
builders
that
that
we
essentially
have
identified
as
being
well
built,
and
so
some
of
those
are
the
ones
that
we've
built
ourselves
and
have
a
full
kind
of
like
threat
model.
A
So
like
these,
the
workflows
that
we
built,
as
well
as
a
Google
Cloud,
build
and
we're
looking
to
support
other
CI
systems,
as
we
have
more
ways
of
generating
provenance
safely,
and
this
also
allows
us
to
do
things
like
verify.
The
source
code
is
the
source
code
we
expect
and
that
it
was
built
with
the
tags
that
we
expect
and
for
with
the
builders
that
we
expect
et
cetera,
et
cetera.
A
A
Also,
one
thing
that
we
can
do
as
well
with
containers
as
we
upload
them
or
we
when
we
generate
provenance,
we
can
actually
look
at
some
of
the
like
inspect
the
provenance
and
take
a
look
at
what
it
looks
like
using
some
of
the
six
door
based
tools
so
as
a
way
of
just
kind
of
looking
at
at
this,
like.
Let's
look
at
the
provenance
and
the
address
station
is
for
the
container
that
I
just
built
or
that
I
just
ran.
That
was
like
a
malicious
container
right.
A
So
if
we
look,
we
can
use
the
cosine
tree
command
to
actually
run
to
actually
check
the
container
registry
and
look
for
added
stations.
So
we
can
actually
notice
that
the
kind
of
malicious
container
that
was
here
like
actually
has
an
attestation
itself
right.
So
this
is
a
malicious
container,
even
though
it
had,
and
but
it
has
like
an
attestation,
it's
just
when
we
actually
look
at
what
the
attestation
contains.
A
And
so
this
is
the
the
actual
Json
that
was
generated,
and
so
we
can
look
at
some
things
like
the
subject.
This
is
a
what's
called
an
in
Toto
statement,
and
this
defines
you
know
somewhat
of
like
subject:
outbreak,
verb
kind
of
a
thing
where,
but
the
in
this
case
the
object
is
actually
the
subject
but
like
what
we
have
here
is
you
know
this?
A
A
We
can
see
the
Builder
that
was
used
to
build
it
as
well
as
information
about
what
source
code
was
used
and
which
workflows
were
used
in
GitHub,
and
so
we
can
see
here
that
if
we
look
at
the
actual
source
code
that
this
came
from,
this
is
actually
not
the
source
code
repository
that
we
that
we
expected
it
to
be
coming
from.
It's
actually
a
different
source
code
Repository,
and
so
we
can
use
things
like
the
salsa
GitHub
generator
or
the
salsa
verifier
in
order
to
run
the
assault.
A
The
the
verifier
to
verify
this,
and
so
we'll
look
and
we'll
try
we'll
say:
okay,
let's
verify
the
this
particular
image
and
we'll
expect
that
the
source
code,
Came
From,
My,
Salsa
and
guac
demo
repository
at
this
particular
version
right,
and
so,
if
we
run
that
this
is
duplicated
a
little
bit.
But
we
can
see
that
when
it
tries
to
verify
it
that
the
generated
artifact
does
not
have
the
expected
Source
right.
So
the
expected
source
is
social
block
demo,
but
we
got
the
fuldia
repository.
A
So
if
you
want
to
like
actually
see
what
it
looks
like
to
verify,
one
that
actually
does
verify
effectively
like
this
is
going
to
check
the
provenance
like
check
the
signatures
on
the
provenance
and
check
the
the
the
fields
in
the
provenance
for
the
source
code
and
the
tags.
In
order
to
verify
those.
A
A
So
it's
also
kind
of
worth
noting
that,
as
part
of
six
door
like
in
using
the
Sig
store,
tooling
and
the
and
salsa
provenance,
we're
able
to
integrate
really
well
with
a
lot
of
other
tooling
that
supports
six
store
and
solsa
provenance.
So
tools
like
kiverno
and
the
Sig
store
policy
controller
are
two
two
tools
that
are
used
in
kubernetes
to
verify
prominence
before
you
actually
deploy
containers
into
kubernetes.
A
So
these
are
used
as
what's
called
an
admissions
controller,
so
that
admissions
time
when
you
try
to
create
a
pod,
it
will
actually
verify
the
provenance
for
that
image
against
the
policy
that
you've
defined
inside
of
the
cluster
and
in
our
salsa
GitHub
repo.
We
have
a
number
of
examples
about
how
to
use
those,
in
example,
policies
that
you
can
use
to
verify
containers
so
effectively.
A
Okay,
so
now
that
we've
kind
of
like
gone
over
like
how
you
can
kind
of
generate
provenance
and
how
you
can
kind
of
verify
that
before
you
actually
run
your
containers,
there's
also
there's
still
like,
we
haven't
totally
solved.
The
problem
of
you
know
understanding
getting
information
about
the
artifacts
that
we're
consuming
so
the
so
not
just
like
how
it
was
built.
But,
like
you
know,
what's
inside
of
it,
do
these
things
have
access
Stations,
don't
they
like,
which
artifacts
do
we
have?
A
So
this
is
really
useful
in
a
number
of
contexts.
You
know
essentially,
like
you
have
artifacts
that
are
node
artifacts
and
metadata.
There
are
nodes,
and
then
you
have
like
relationships
between
those
nodes
as
they're
linked.
So
in
the
graph
you
would
have
like
nodes
that
are
artifacts
and
metadata
and
the
edges
or
these
relationships
that
go
between
these.
A
So,
in
our
case,
like
so,
guac
can
really
apply
to
a
lot
of
different
areas
of
discoverability
and
auditing
and
so
kind
of
across
the
life
cycle,
I,
guess
of
a
vulnerability
like
so
from
the
kind
of
being
reactive.
How
are
you
affected
by
something
that
actually
happened
to
trying
to
Implement
safeguards
into
your
system?
A
It's
an
image
development
life
cycle.
So
right
now
it's
mostly
just
ingestion
and
then
you
can
do
queries
on
the
database
directly.
So
in
this
case
I'm
using
neo4j
to
directly
query
and
visualize
in
a
database.
But
in
the
future
there
will
be
much
more
targeted
type
of
apis
for
developing
policies,
and
things
like
that-
but
we
can
see
here
here-
is
the
here's,
a
set
of
metadata
that
I've
ingested
for
the
images
that
I
was
using
earlier.
A
So
we
have
our
the
image
that
we
that
I
built,
that
is,
that
is
good,
and
then
we
have
the
image
down
here.
That
is
the
malicious
container,
and
so
like
say,
for
example,
in
a
reactive
context,
where
we
figure
out
that
this
one
malicious
container
is
in
there.
How
did
that
get
in
there
and
what
what
happened?
A
We
can
actually
see
that
this
container
has
had
was
built
by
the
same
Builder
as
our
good
container
and
that
it
has
a
software
attestation.
So
this
orange
node
is
an
attestation
node,
so
we
actually
built
it
yeah.
It
was
actually
built
with
the
same
Builder
and
generated
as
a
station
in
order
to
try
to
fool
fool
us,
but
it
was
built
from
a
different
repository.
So
that's
one
key
knowledge
Point
here
is
that
we,
even
though
we
could
verify
the
key
signature
and
that
it
had
to
add
an
added
station.
A
So
we
can
see
here
a
little
bit
about
the
relationships
here
and
how
this
this
artifact
was
built.
These
orange
these
red
nodes
over
here
are
part
of
a
information
that
was
ingested
from
an
s-bomb,
so
this
was
built
from
an
image,
a
container
image
and
we
used
the
the
sift
tool
to
generate
an
s-bomb
which
tells
us
the
different
golang
packages.
A
Overall,
our
you
know
this:
the
situation
of
our
supply
chain
and
our
the
artifacts
that
we're
building
and
using
so
with
that
I'll
end
and
I.
Think
I
have
a
couple
of
just
a
couple
of
minutes
for
questions
if
they're
already,
but
we
have
a
blog
post
that
we
released
I
think
today
on
the
GA
in
the
container
workflow.
A
If
you
want
to
find
out
more
about
salsa,
you
can
check
that
out
at
salsa.dev,
our
GitHub
generator
and
social
verifier
repost
are
on
GitHub
under
the
salsa
framework
organization
and
guac
is
under
the
glocksec
organization
on
GitHub
as
well
I'm
Ian
Lewis
on
GitHub
and
on
E
M
Lewis
on
Twitter.
So
if
you're
inclined,
you
can
hit
me
up
later
as
well.
A
A
A
So,
like
we
are
kind
of
Lucky
in
a
sense
on
GitHub
that
we
are
able
to
create
these
generators
using
features
of
GitHub
actions
that
allow
us
to
isolate
that
from
the
actual
build,
but
with
gitlab
there's
not
really
a
way
to
do
that
quite
yet,
and
so
we're
working
with
them
to
actually
like
be
able
to
generate
the
problem
safely
and
then
be
able
to
like
do
essentially
the
same
things
we're
doing
on
GitHub
as
well.
So,
yes,
we
are
thinking
about
that
and
working
with
them
on
that
yeah.
B
A
A
This
is
really
something
that
usually
the
build
system
itself
would
have
to
kind
of
implement
or
that,
ideally,
it
would
Implement,
but
in
the
case
of
GitHub,
we're
like
kind
of
using
a
a
feature
of
the
system
in
order
to
like
build
it
ourselves.
But
we
are
kind
of
essentially
working
with
other,
like
build
tools
like
like
build
kite
in
order
to
be
able
to
implement
these
things.