►
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
DevSecOps with Shipwright and Tekton - Adam Kaplan & Vincent Demeester, Red Hat
Speed and security are often seen as competing priorities in the application development process. Emerging features in Shipwright and Tekton help bridge this gap, allowing developers to quickly build applications and verify the security of their software supply chains. In this session, we will demonstrate how Tekton and Shipwright can be used throughout the entire application development lifecycle to code, test, verify, and deploy applications. At each step in a piece of code’s journey to production, we will highlight features that help organizations meet SLSA compliance requirements. These include container image signing with cosign, generation of software bills of materials (SBOMs), and provenance attestations with Tekton Chains. Following this session, attendees will be able to use Shipwright and Tekton to secure the software supply chain of their own applications.
A
My
name
is
adam
kaplan,
I'm
a
software
engineer
at
red
hat
and
a
maintainer
of
the
shipwright
project.
Before
joining
red
hat,
I
worked
at
a
transportation,
focused
consulting
company
which
helped
companies
ship
freight
containers.
Today
I
help
companies,
ship,
kubernetes,
containers,
kind
of
the
same
thing.
B
B
So,
what's
in
the
engine
that
today,
we
are
going
to
demonstrate
how
to
create
a
devsecops
developer,
workflow
with
shipwrights
takedown
and
a
few
tools
along
the
way
we
will
define.
In
a
few
words,
what
is
takedown,
what
is
devsecops
and
we
will
showcase
a
developer
inner
loop
that
uses
cheap,
write
to
build
in
container
images
with
local
source
code.
B
A
A
A
We
need
this
new
thing
called
a
provenance
attestation
which
shows
what
steps
we
took
to
produce
the
artifacts
and,
depending
upon
what
our
security
teams
or
other
experts
ask.
We
may
need
to
provide
much
much
more
in
keeping
with
that
devops
mindset.
We
want
all
of
these
things
to
be
generated
automatically
and
early
in
the
software
development
life
cycle.
B
B
B
Ci
again,
those
are
for
building
a
lot
of
building
blocks
of
of
our
ci
and
our
of
our
local
development
and
on
the
ci
cluster
we
are
going
to
extend
tecton
with
tecton
chains
and
pipelines
code.
We
are
going
to
use
all
these
tools
to
document
our
application
through
the
whole
software
lifecycle,
coding,
review,
testing
and
deployment,
a
small
word
of
warning
or
caution.
A
A
A
A
A
A
And
to
inspect
this
s-bomb,
we
can
use
cosine
to
download
it
and
then
print
it
out.
So
we're
going
to
download
the
s-bomb
since
we're
outside
the
cluster,
we're
going
to
use
the
external
route
to
the
registry
and
now,
let's
print
the
s-bomb
and
inspect
it.
You
can
see
that
the
s-bomb
is
for
my
github
code.
A
A
You
can
see
that
now
we
have
a
new
image
that
has
been
pushed
under
our
latest
tag.
It's
got
a
new
digest
and
if
we
look
at
the
other
tags,
we
have
this
tag
here.
That
has
the
s-bom
of
our
container
image
that
we
had
just
pushed
and
we
can
use
cosine
to
download
it
and
compare
the
two
s-bombs
and
you
can
see
that
these
indeed
represent
as
bombs
for
two
different
container
images.
A
B
A
B
B
What
is
going
to
do
is
this
simple
pipeline.
Pull
requests
will
run
on
events
on
pull
requests
so
create
pull
requests,
update,
pure
requests,
etc
and
saw
the
unpull
requests
created
against
the
main
branch
there's
additional
annotation
here
we
are
using
two
more
one
is
the
task
one
which
tells
pipeline
scope
to
fetch
the
task
definition
here,
git
clone,
go
long
test
angle
and
build
from
the
upstream
catalog,
and
the
max
key
prompts,
which
will
help
pipeline
keep
the
crystal
clean
by
removing
the
old
ones.
B
So
this
is
how
we
do
and
it's
going
to
push
to
the
intel
registry.
So
now
I
can
go
back
to
my
pull
requests.
See
that
it's
all
green.
I
can
look
a
little
bit
more
into
detail
and
it's
telling
me
sometimes
it's
russell.
Now
I
can
go
into
the
cluster
and
see
that
it
did
run.
It
did
succeeds
and
I
have
my
git
clone
my
tests
in
my
build
and
it's
got
created
by
python's
code.
Few
annotations
and
labels
were
added
automatically.
B
B
B
B
B
B
B
B
B
B
It
will
show
probably
the
exact
same
thing
as
adam
showed
locally,
because
this
is
the
same
software.
You
can
see
all
the
dependency
I
could
have,
so
I
could
have
done
the
same
using
my
the
image
using
the
digest.
I
can
also
verify
verify
the
signature
again
here,
I'm
using
latest,
but
let's
use
the
one
with
the
ledges
as
well.
B
A
B
It
printed
some
some
of
that
you
can
also
get
the
attestation.
So
it's
a
bit
similar.
It's
just
at
the
station
and
we'll
see
again
it
was
validated
and
we
have
the
payload
note.
That's
we
can.
We
can
get
the
exact
same
payload
using
record
and
this
time
if,
for
example,
I'm
searching
for
this
one-
and
I
have
two
uid,
let
me
just
catch
one
and
I
can
ask
for,
can
ask
quicker
for
uig
and
format.
B
B
A
B
B
Entry
point
used
in
the
reference
reference
arguments
and
some
environment
variable
which
image
used,
etc
and
similar,
then
there's
the
co
scopial
that
was
used
here,
build
push
etc,
and,
yes,
that's
pretty
much
it.
We
went
through
well
doing
this
all
in
local
to
actually
do
a
pull
request
validated
that
it
works
on
the
ci
and
push
it
later
on
on
the
public
registry,
where
we
can
have
all
the
things
we
need,
the
software
because
of
material,
the
attestation
and
the
signature.
A
As
mentioned
previously,
not
everything
you
have
seen
here
has
been
released
or
has
a
stable
api
on
the
ship
right
side.
Both
running
this
shipwright
build
in
a
tecton
pipeline
and
the
integration
with
tecton
chains
has
not
been
accepted
upstream.
Just
yet.
Both
of
these
are
work
in
progress
that
we
hope
to
include
in
future
releases.