►
From YouTube: An OSS project's attempt to secure it's supply chain - Ankit Mohapatra, Berkshire Grey
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
An OSS project's attempt to secure it's supply chain - Ankit Mohapatra, Berkshire Grey
Jenkins X is a cloud native CI/CD platform built on top of kubernetes with out of the box support for gitops, secrets management, preview environments, chatops and much more.
In order to provide all these functionalities, Jenkins X uses many open source projects as part of it's supply chain in the form of go modules, npm packages, helm charts, docker images and terraform modules to name a few.
In the light of the recent high profile supply chain exploits and attacks (solarwinds, codecov etc), securing the open source supply chain becomes critical for us and our end users.
But how do we even keep track of all the packages that make up our supply chain and then secure it?
We started by generating SBOMs (Software Bill Of Materials) for our artifacts and using vulnerability scanners to identify potential vulnerabilities.
Currently, we are in the process of integrating with tekton chains.
This talk is an attempt to summarize our supply chain security journey and what we plan to achieve in the future.
We will explore the fascinating world of SBOMs, SLSA (Supply chain Levels for Software Artifacts) levels and in-toto attestations.
More importantly, there will be some practical examples of the abstract concepts around supply chain security and how Jenkins X attempts to make a secure supply chain accessible to everyone.
A
So
well
a
bit
of
intro
who
am
I
onkit
I
work
as
a
devops
I
work
as
a
devops
at
at
you
know,
like
Berkshire
gray,
which
is
you
know
like
robotics,
which
does
you
know
like
robotic
stuff.
I
am
also
the
maintainer
of
Jenkins
X.
Why
is
it?
You
know
like
level
two,
because
there
are
two
horns?
That's
that's
like
just
a
point.
So
what
is
you
know
like
Jenkins
sex?
It
is
not.
A
A
We
are
a
CI
CD
tool.
I
would
probably
say
that
we
are,
you
know
like
a
platform,
so
we
have
a
lot
of
you
know
like
features,
so
we
have
CI
which
is
done
using
using
you
know
like
tecton.
We
have,
we
are
kind
of,
like
you
know,
like
Argo,
but
we
have
our
own
jigs.
You
know
like
it
Ops.
We
have.
You
know
like
preview
stuff.
We
have,
you
know
like
Secrets.
A
So
that's
one
of
the
reasons
why
it's
not
a
tool,
but
instead
you
know
like
a
platform.
The
whole
point
is
to
make
the
cncf
you
know,
like
landscape
appear
less.
You
know,
like
scary,
if
you
have
seen
it
there's
like
too
many
things
to
choose,
so
you
can
either
use
that
or
you
can
try.
You
know
digenc
what
is
what's
the
problem
that
we're
that
we
are
General
are
trying
to
solve.
So
we
produce
a
lot
of
you
know
like
binaries.
A
We
have
you
know
like
images,
we
have
telephone
stuff,
and
so
we
are
a
software
you
know
like
Factory
for
for
for
for
so
so
the
way
we
know
like
produce
them,
we
use
you
know
like
GitHub
and
we
also
have
our
own
our
own.
You
know
like
gcp
stuff,
but
the
big
question
is:
how
do
our
end
users
know
that
all
of
these
you
know
like
binaries
and
having
charts
are
actually
you
are.
Are
you
know
like
coming
from
us
and
not
from
say
Jenkins?
A
Why
or
something?
Okay?
Where
did
I
go
great?
Do
we
know
what
goes
into
building
those
things
and
are
they
safe
to
use?
Eventually,
we
want
to
help
the
end
users
of
you
know,
like
Jenkins
sex
have
a
secure
by
default
chain.
That's
that's.
You
know
like
the
North
Star
internally
we
use
so
we
use
analog
gcp.
We
have
spot
because
it's
cheap
to
use
them.
We
run
the
latest.
You
know,
like
version
of
our
own
Tool,
every
time
a
test
you
know
like
passes.
A
A
A
Some
some
of
you
know
like
dependencies
we
had
were,
should
have
just
been.
You
know
like
lines
of
code
rather
than
getting
an
external.
You
know
like
package,
which
is
not
you
know
like
maintained
anymore.
We
did
not
have
you
know
like
a
s-bomb
which
is
basically
you
know
like
a
list
of
stuff
that
makes
up
your
you
know
like
binaries.
We
did
not.
You
know
like
sign
things
and
most
likely
we
were
salsa.
You
know
like
level
zero
to
one.
A
A
So,
let's
start
by
taking
a
look
at
the
checks.
You
know
like
binary.
You
can
see
in
in
our
left
hand,
side
I,
guess
anyways.
It
did
not.
Have
you
know
like
s-bombs,
it's
not
signed
but
more,
but
if
you
just
run
the
JX,
you
know,
like
version
all
you
get
is
just
this
number.
That
means
nothing
to
me
like
which
branch
was
it
made
from
which
you
know
like
commit
Shah
was
it
which
you
know
like
version
of
go.
Was
it
so
we?
A
A
it's
using
the
main
branch
which
is
good
and
it's
and
in
that
Branch
it's
built
on
like
it's
it's
built
using
this,
you
know
like
commit
Shah.
What
next
we
had
huge
like
some
of
the
images
we
had
were
huge,
like
one
of
them
was
eight
1.8
gigs
and
we
have
got
it
204.
You
know
like
MB,
so
doing
these
kind
of
things
you
know
like
these.
Are
you
know
like
low
hanging
fruits
that
that
that
we
first
got?
You
know
like
sorted
out?
A
Also,
we
were
using
tags
and
in
some
of
the
cases
we
were
just
using,
you
know
like
latest.
Instead
we
are
trying
to
use.
You
know
like
the
digest
Sha,
it's
so
some
of
the
you
know
some
of
the
tax
actually
use.
You
know
like
digestion
now,
some
of
them
at
least
use
tags
and
not
you
know
like
latest,
so
it's
still
something
that
we
are
doing
now.
A
So
what
are
software
bill
of?
You
know
like
materials?
They
are,
you
know
like
trending
today,
they're
very
you
know
like
popular
everyone.
You
know
like
talks
about
them,
and
so
that's
where
we
were
like
well,
we
need
to
have
you
know
like
s-bomb,
so
we
started
with
sift
and
one
of
the
you
know.
Like
reasons
we
picked,
it
was
because
we
use
you
know
like
go
releaser,
so
Swift
comes
as
the
default.
You
know
like
option.
Four.
You
know
like
for
that
tool.
A
Of
course
you
can,
you
know
like
swap
it
out
and
that's
fine.
We
also
used
you
know,
like
the
Json
format.
I
have
a
sample,
you
know
like
as
Mom.
Of
course
it's
great
for
you
know
like
machines,
but
if
you
want
to
you
know
like
take
a
look
at
it,
it's
hard.
It's
it's
just
a
huge
file,
a
lot
of
things
inside
and
I
guess
we
can.
You
know
like
take
a
look
at
one
of
them,
so
this
is
one
of
you
know
like
the
s-bomb
that
we
have.
A
You
can
see.
So
this
is
so
most
so
it
has
a
list
of
all.
You
know
like
packages.
This
is
for
one
of
the
package
you
can
see
it
has.
You
know
like
a
spdx,
you
know
like
ID,
so
that's
just
a
hash,
so
every
you
know
like
package
that
you
have
in
your
home
will
will
have
you
know
like
a
unique
hash.
It
has
the
name
which
is
basically
you
know.
A
Like
name
of
the
package,
you
can
see
that
you
know
like
the
license
is
none,
so
that
was
a
bit
of
you
know
like
concerning
for
us,
because
in
the
end,
if
we
have,
you
know
like
a
spawn,
but
we
don't
know
if
we
are
using.
You
know
like
a
license
which
is
not
you
know
like
open
source.
You
know
like
friendly
like
then
then
like
it
doesn't
really
make
much
sense
for
us,
but
but
that
is
an
issue
with
sift
and
we
will.
You
know
like
talk
about
that
soon.
A
A
Well,
in
our
case
it's
in
another
language,
then
we
have
compute,
which
is
just
you
know
like
the
package
name
and
then
we
have.
You
know
like
the
version
of
the
package
which
is
1.10.0.
The
you
know
like
Purl,
is
just
a
package.
You
know
like
URL,
since
we
use
go.
It
just
comes
from
the
go.mod
file.
A
If
you
want
to
look
at
it
more,
this
is
basically
the
full
file
and
you
can
scroll
and
it's
a
pretty
big
file.
We
are
using
spdx,
you
know
like
2.2,
which
is
not
you
know,
like
the
latest.
You
know,
like
version
sift,
actually
does
not.
You
know
like
support
it.
Yet
there
are,
you
know,
other
tools
that
we
are
planning
to.
You
know
like
switch
to
in
case.
We
don't
get
that
from
safe
soon,.
A
So
what
for
you
know
like
the
issues,
as
I
said,
all
of
you
know
like
license
info,
is
you
know
like
missing
in
sift
so
I
tried
to
you
know
like
look
at
that
code
base
to
see?
Actually
why
it's
not
there
like?
Is
it
because
there
is
some?
You
know
like
issue
with
us
and
not
with
them
and
turns
out
that
when
they,
when
they
try
to
get
the
package
you
know
like
info,
they
actually
don't
they.
A
A
You
know
like
support
it
now,
but
I
and
and
I
think
the
most
you
know
like
important
thing
is
so
we
have
you
know
like
the
s-pomb,
but
then
what
at
this
point,
what
we
did
was
we
have
gripe
which,
which
you
know
like
scans
them
and
tries
to
find
any
you
know
like
vulnerabilities
in
them,
but
but
you
know
like
what
what
you
know
like
we
would
like
is.
Maybe
you
know
like
a
Cron
job
that
runs.
A
So
now
that
we
have,
you
know,
like
the
s-bomb,
of
course
you
know
like
what
we.
What
we
know
like
wanted
to
do
was
to
you
know
like
sign
all
of
the
stuff
we
started
with.
You
know
like
binaries
and,
and
you
know,
like
the
s-bombs,
so
if
you
see
you
know
like
the
image,
you
will
see
that
we
are
signing.
You
know
like
the
tar
file
and
we
are
also
you
know,
like
signing.
You
know
like
the
bomb
file
at
this
point.
A
We
are
using
keys
to
you
know
like
sign
them
and
of
course
that's
not
a
great
thing,
because
if
you
have
to
you
know
like
manage
your
keys,
that's
always
a
big
issue
like
you
might
get
like.
You
know
like.
Maybe
that
key
gets
leaked
leaked
and
then
it
might
become
an
issue
we,
we
actually
have
a
branch
where
we
are
trying
out.
You
know
like
keyless,
you
know
exciting,
and
that
should
be
out.
You
know
like
very
soon
now
that
we
have.
You
know
like
signatures.
A
What
about
you
know
like
the
provenance
data
and
what
about
you
know
like
attestation,
so
there
is,
you
know
like
a
pull
request
which
will
add
that
to
our
build.
But
what
is
you
know
like
provenance?
It's
in
a
in
a
in
a
like.
Very
you
know.
So
what
it
is
is
is
just
it's
just
when
how
and
where
our
you
know
like
artifacts
were
were
built
and
when
you
sign,
you
know
like
document
about
that,
it
then
becomes.
A
You
know
like
an
attestation
in
total
is
probably
one
of
the
most
popular.
You
know
like
format
at
this
point.
So
for
our
you
know,
like
GitHub
stuff,
we
are
using
the
salsa,
you
know
like
provenance,
so
there
is,
you
know
like
a
GitHub,
you
know
action
for
it
and
for
for
our
internal
stuff,
we
are
using.
You
know
like
tecton
Chains
It's.
Still,
you
know
like
a
work
in
progress.
We
are,
we
have
it
running
for
our
local.
A
Well,
we
don't
have
one,
but
since
this
is
you
know
like
open
source,
we
can
always.
You
know
like
take
a
look
at
another.
You
know
like
project,
because
I
I
think
it
makes
a
lot
of
sense
to
actually
you
know
like
see,
see
one.
You
know,
like
example,
before
we
go
and
add
one
to
our
own,
like
workflow
you,
so
there
is
a
link
to
to
to
you
know
like
the
spec.
There
are
three
things
that
are
that
are
very
you
know
like
important.
A
So
so,
in
order,
the
payload
is
basically
for
you
know
like
encoded.
That
is,
you
know
like
statement,
and
that
is
what
and-
and
we
can
use
JQ
to
to.
Actually
you
know
like
format
it,
and
the
important
thing
to
check
is
you
know
like
the
subject,
so
in
case
of
ko,
what
what
you
know
like
they
are
doing.
Is
there
you
know
like
subject?
Is
you
know
like
the
checksum
file?
So
you
see
there
are
so
what
they
do.
Is
they
produce
KO?
A
You
know
like
binaries
for
different,
you
know
like
platforms,
and
so
so
so
that
becomes
you
know
like
the
subject
and
then
you
know
like
the
predicate
is.
What
is
you
know
like
generated
by
by
you
know
like
GitHub,
and
you
can
see
that
there
is
the
Builder
you
know
like
ID,
so
that
you
know
like
tells
you
that
this
is
like
this
was
you
know
like
created
by
the
GitHub?
You
know
like
generator
and
and
and
it
has
more,
you
know
like
info
about
how
it
was
you
know
like
generated.
A
So
at
this
point
our
binaries
are
signed,
but
also
our
you
know,
like
images
are
signed
using,
you
know,
like
cosine
s-bombs
are
generated
using
shift
initially,
when
we
tried
to
push
and
pull
you
know
like
s-bomb,
we
were
using
a
new
tool
called
oci.
You
know
like
registry,
as,
as
you
know,
like
storage
the,
but
then,
since
we
use
you
know
like
cosine,
we
can
just
use
that
to
to
actually
push
and
pull.
You
know
like
s-bomb
for
our
for
our.
A
But
what
do
we
want
to
do?
Next?
We
have
a
lot
of
you
know
like
plugins.
At
this
point,
what
we
have
signed
is
just
few.
You
know
like
binaries.
There
are
still
some
you
know
like
plugins
that
are
not
signed.
We
we
would
also
want
to
sign
our
you
know,
like
Helm
charts,
Jenkins
X
today
is
installed
using
telephone.
You
know,
like
modules,
we
have
one
for
you
know
like
gke.
We
have
one
for
you
know
like
Amazon,
so
we
support
all
of
the
three.
A
You
know
like
Cloud
providers,
but
but
there
is
no
way
to
sign.
You
know
like
modules
at
this
point,
I
think
terraform
doesn't
you
know
like
support
it?
Yet,
as
I
said,
we
have
teched
on
chains
working
in
local.
You
know
like
clusters,
but
it's
still
not
integrated
to
the
point
where
our
you
know
like
end
users
can
just
be
like
hey,
you
know
like
I
want
to
have.
You
know
like
a
secure
chain,
true
and
then
changing
sex
goes
and
installs.
A
So
that
is
something
that
we
are
trying
to
work
on
and
if
you
just
have
you
know
like
the
provenance,
it
doesn't
really
mean
much
if
your
cluster
can
run.
You
know
like
anything,
so
we
are
looking
at
adding
adding
you
know
like
everno.
You
know
like
policies
so
that
it
blocks
any
any.
You
know
like
artifact
from
you
know,
running
in
the
cluster
as
I
said
image,
you
know,
like
sizes
have
have
you
know
like
gone
down,
but
we
also
want
to
move
to.
A
You
know
like
this
show
less
soon.
One
issue
we
had
with
sift
was:
it
does
not
generate.
You
know
like
s
form
at
say,
you
know
like
build
time.
So
what
it
does
is
you
give
it
a
binary
it?
You
know
like
looks
at
it
and
then
it
you
know
like
infers
the
bomb.
Instead,
what
we
would
want
is
have
you
know
like
s
forms
at
say.
You
know
like
build
time,
and
there
are
tools
which
can
you
know
like
help
us
do
that.
A
Apco
and
you
know,
like
Malang,
are
probably
very
popular
at
this
point
and
also
using
APCO
will
help
us
to
have.
You
know,
like
reproducible
builds
conclusion.
Well,
it's
so
so
you
know
like
three
months
back,
we
had
almost
you
know
like
nothing
at
this
point.
I
think
we
are
in
a
bit
of
you
know
like
better
shape.
A
There
are
a
lot
of
you
know
like
simple
things
that
you
can
do
you
don't
have
to
jump
into
the
more
you
know
like
complex
stuffs,
if
you
have
so
I
I
think
six
store,
for
example,
has
you
know
like
helped
a
lot
to
to
like
make
all
of
those?
You
know
like
complex
tasks.
You
know
like
simpler.
For
us,
there
is
a
lot
of
things
to
learn,
but
you
will
have
fun
as
you
go.
A
A
A
A
Yes,
I
mean
at
this
point:
I
would
say
it's,
let's
see
what
does
it
have?
Well,
it's
not
based
on
Java,
I
guess
but
but
I
think
it's
more
native
to
you
know
like
kubernetes
compared
to
Jenkins,
like
you
like,
you
can
have
Jenkins
CI,
which
which
runs
on
you
know
like
kubernetes,
but
we
were
built
ground
up
for,
for
you
know
like
Cloud
native
and,
and
you
know
like
kubernetes
right.
A
A
I
mean
we,
we
do
have
a
slack
Channel
but
again,
like
I
said
it's
it's,
it
is,
it
is
still.
You
know
like
an
open
source
project
and
yes,
I
mean,
of
course
we
are
looking
for.
You
know
like
vendor
support,
but
that
will
take
time.
I
mean
to
be.
You
know
like
honest:
it's
not
going
to
happen
tomorrow,
right.
A
A
What
are
we
yeah,
of
course,
but
but
yes,
I
mean
now
we
have
six,
you
know
like
maintainers
and
it's
you
know
like
growing.
So
we
have
plans
to
to
to
like
think
about.
You
know
like
commercial
support,
but
of
course
not
for
this
year,
I
mean
it
will
take
some
time
we.
So
we
have.
You
know
like
a
governing
like
body
at
this
point
which
we
did
not
have.
A
A
A
I
understand
yes,
because
I
was
running
Jenkins
sex
at
my
you
know
like
previous
work
and
well
I.
So
I
did
it
because
I
am
the
maintainer.
So
if
something
breaks
of
course,
I
can
go
in
and
fix
it,
but
I
I
do
you
know
like
understand?
Yeah?
Yes,
yes,
so
so
we
have
plans.
I!
Think!
That's!
That's!
That's
just
what
I
have
in
mind
like
we
are
planning
to
go
for.
You
know
like
commercial
support,
and
that
is
something
that
that
the
TOC
is
looking
at.