►
Description
For more Continuous Delivery Foundation content, check out our blog: https://cd.foundation/blog/
A
A
B
A
B
A
I
think
that
makes
a
lot
of
sense
like
if,
like
events,
topics
could
be
presented
there.
The
security
aspects
could
be
presented
here
like
it
may
increase
your
work,
but
you
can
repurpose
some
of
those
flies.
Perhaps
so
I
don't
think
you.
I
will
pick
you
on
slack
and
then
we
could
set
a
date
and
then
put
it
on
the
agenda
based
on
when
you
are
available.
B
Yeah
I'm
gonna
yeah.
I
can't
promise
you.
I
mean
I've
got
a
lot
of
stuff
at
work
on
my
plate,
but
I'm
gonna
try.
Well,
I
doubt
I'll
get
to
it
before
I
go
on
vacation,
so
it'll
be
probably
the
end
of
middle
close
to
the
end
of
september,
because
I'm
gonna
be
in
I'll,
be
in
portugal
for
two
weeks
coming
up
so.
A
B
A
What
works
for
you?
Okay,
I
see
most
people
join.
So
let
me
put
the
link
to
the
chat
and
share
my
screen
and
I
hope
you
can
see
my
screen
and
hack
any
document
as
usual.
If
you
could
record
your
participation
in
document
that
would
be
great
and
today
on
our
agenda,
we
have
an
action
item
from
our
previous
meeting
on
david.
Let
me
check
if
david
joined
david-
not
not
here
yet
I
will
ping
him
on
slack
and
then
the
next
topic
is
slide
chain.
A
C
Okay,
that's
good,
so
hello,
everyone
and
good
morning
I
am
assalam
alaikum
contributor
of
zinc
index.
Today
we
are
going
to
talk
about
the
gender
states.
What
is
the
promising
house
approaching
cicd
solution
and
about
our
journey
towards
supply
chain
security?
What
we
did
for
now
and
what
we
are
going
to
do
later
and
how
it's
going
to
be
very
useful
for
our
users,
so
our
agenda
for
today
is
we
talk
about
watching
six,
a
simple
introduction
about
its
features
and
how
it's
a
promising
cic
solution.
C
C
C
We
are
a
cloud
native
solution
that
aims
to
provide
our
users
with
the
ability
to
build
ci
cd
systems
in
a
easy
way
or
our
past
ways
that
runs
natively
inside
your
cooperative
cluster
with
zynx.
You
don't
need
to
manage
an
external
service
server
to
manage
the
ci
cd
system
for
you,
it
also
run
in
the
in
the
next
cluster
itself.
It
has
its
own
crds
as
it
talks
to
the
api
server
and
starts
executing
its
pipeline
jobs
you
created
for
it.
C
C
This
also
includes
a
set
of
different
features
like
multi-cluster,
githubs
and
secret
management,
and
chat
with
multi-cluster
githubs.
We
allow
get
to
be
the
single
source
of
rules
for
all
your
clusters
that
manage,
while
jxx
ticket
management
and
chat
ops
which
allow,
which
is
a
a
very
good
feature,
objects
that
allows
for
triggering
events
like
pipelines
or
testing
pull
requests
through
typing.
Certain
commands
in
the
in
support,
request,
chat,
and
all
of
this
is
integrated
natively
in
the
openness
cluster
you
use
short.
C
In
short,
we
you
focus
on
the
cried
in
the
great
code
and
we
focus
on
building
it
for
you
supply
chain
security
with
jinx
x,
as
we
are
an
all-in-one
solution
and
we
aim
to
be
an
end-to-end
solution
as
well.
We
realize
that
the
importance
of
supply
chain
security
in
the
current
in
the
current
era,
and
also
we
aim
to
provide
it
out
of
the
box
for
our
users,
so
not
only
to
secure
jinx
x
artifacts,
but
also
make
it
an
an
applicable
step
in
your
pipeline,
developed
using
jinx
x.
C
The
current
agenda
for
the
project
is
including
spawn
generation.
Spam
is
short
for
software
pull
of
materials,
which
is
a
great
way
for
detecting
vulnerabilities
and
protecting
against
outdated
softwares.
That
may
include
malwares.
Also,
it's
useful
for
licensed
compliance
for
more
than
one
purpose.
C
The
other
type
of
of
integration
we're
going
to
use
is
integration
with
stick
from
chains.
The
conscience
is
another
solution
from
tecton
that
aims
to
allow
for
cryptography
design,
artifacts
and
storing
them
in
a
more
convenient
way.
The
current,
stable,
finished
state
of
genetics
is
s-pawn
generation
support.
C
We
end
we
reach
the
test
that
you
can
generate
s
bombs
and
store
them
next
to
your
artifacts,
and
also
we
can
use
tools
like
glide
to
detect
our
vulnerabilities.
This
will
be
broken
next,
okay,
so
a
good
introduction.
What
is
form
it's
short
for
software
pull
of
materials,
which
is
a
formally
structured
list
of
components
used
to
identify
the
certain
components
built
this
software.
C
Okay,
one
of
the
investigations
we
made
was
talking
about
spawn
formats,
which
has
been
like
three
different
formats
as
spdx,
which
is
short
for
software
package,
that
exchange
and
the
cyclone
dx
and
swd
tags
x.
All
of
this
is
talked
about
this
strings
x,
blog
post.
We
will
share
with
you
the
slides
after
that,
and
you
can
refer
to
the
blog
post
on
zynx
website,
but
for
the
current
use
case
of
jinxx.
We
we
settle
down
to
use
the
software
package
that
exchange
it's
adopted
by
the
linux
foundation.
C
C
You
may
say
generation
you
may
see
generation
tools
that
include
those
fields
and
include
others
that
doesn't
exist,
maybe
one
of
the
essential
feats
one
of
the
essential
fields
that
must
be
included
in
all
tools.
It's
the
package
information
which
means
that,
with
every
battle
just
that's
used
inside
the
system
you
are
building,
it
should
have
a
metadata
about
the
creation
and
the
license
and
the
the
version
and
I
get
commit,
maybe
for
the
last
build.
C
C
C
C
E
C
Can
you
see
this
now?
Yes,
yes,
yes,
okay!
So
this
is
the
fields
we
were
talking
about
in
spdtx
specifications.
It
includes
the
metadata
about
the
document
itself
and
the
software
is
created,
and
after
this
there
is
a
packages
object
which
includes
an
array
of
all
packages
or
a
list
of
four
packages.
It
includes
a
package
name
and
then
spdx
id
for
this.
The
download
creation
and
files
analyzed
okay.
So
anyone
have
questions
for
now.
C
Okay,
so
we
can
start
another
investigation
that
we
made
is
talking
about
s
palm
generation
tools.
What
are
the
tools
used
to
generate
this
port?
This?
These
forms,
so
s-bombs
are
aimed
to
include
all
packages.
So
if
it's
a
big
project
like
zxx,
it
will
may
contain,
like
hundreds
or
thousands
of
lines
of
code
or
of
documents,
so
it
has
to
be
generated
automatically
inside
you
see,
I
see
this
so
we
talked.
We
searched
for
several
open
source
tools
to
generate
response.
C
The
list
of
all
tools
we
investigated
is
written
inside
this
other
blog
post
by
xingx,
and
we
settled
down
on
using
these
three
tools.
First
of
all,
anchor
shift
shift
is
a
cli
tool
developed
by
anker
to
generate
s
pumps
from
different
artifacts.
It
can
generate
spawns
from
docker
images,
file
systems
and
also
the
binders.
C
C
If
you,
if
you
che,
if
you
created
an
spom
for
container
images,
you
also
need
to
store
it
inside
the
inside
the
same
artifact
repository
you
are
using,
and
this
is
not
possible
in
the
usual
case,
because
there
are
documents,
not
local
images
and
a
hack,
for
this
would
be
like
to
build
a
local
image
and
store
it
inside
and
store
the
s
bomb
inside
it.
But
with
auras
for
us
is
a
cncf
sandbox
project.
C
It
supports
generate
installing
those
documents
or
or
any
non-pioneering
file
in
the
final
layer
of
an
oci
image
and
also
a
good
use
case
for
our
spawns,
which
can
be
generated
and
stored
in
the
same
place.
We
are
releasing
the
docker
images,
so
when
we
create
a
docker
image,
we
create
the
s
pawn
for
it
and
store
it
in
a
another
image,
oci
image
with
auras
and
we
push
them
together.
C
The
last
tool
we
use
for
for
spawns
is
right.
Drive
is
another
tool
developed
by
anchor
and
it
it's
used
for
vulnerability
detection
for
from
spawns,
so
how
we
are
gonna
use
sponge.
You
generate
this
and
if
this
all
the
packages
you
use
but
how
you
can
detect
the
vulnerabilities
and
how
you
can
use
this
in
supply
chain
security,
this
is
done
by
gripe.
It
scans
the
generators
from
s-bombs
for
general
images
and
other
file
systems.
C
C
C
C
Okay,
that
we
added
another
step.
We
added
the
other
step
to
install
drive
or
to
generate
the
s-pom
document,
the
s-pom
documents
from
shifts,
and
we
use
auras
to
push
it
local
to
push
it
to
the
container
registry.
You
are
using
on
the
user
side.
You
can
reference
these
documents
like
here,
so
how
users
are
how
our
users
are
going
to
use
this
step
using
gx3
pipeline
catalog.
C
We
are
referring
to
their
pipeline
in
total
flight
housing
6.
This
release,
utml,
which
is
a
pipeline,
runs
when
at
least
is
triggered.
So
you
go
inside
the
step.
This
is
the
steps
field,
a
tasks
then
steps
with
you,
professor.
You
check
image,
we
use
jenkins
x,
gxc,
pipeline
catalog,
and
you
refer
to
the
path
of
this
of
this
task
tasks,
slash
supply,
chain
security
and
then
refer
to
the
name
of
the
task
itself
that
will
load
shift
with
this.
C
You
can
download
to
your
image
to
your
pipeline
and
upload
binaries
is
using
for
jinxx
upload
binaries
is
using
google
easily.
So
another
thing
we
want
to
talk
about
for
our
own
spawn
generation.
We
are
using
gorillazer,
which
is
this
gorillazone
btml,
and
here
we
specify
a
response
to
generate
from
archive
artifacts.
So
with
google
easer,
it's
it's
by
default,
supporting
generating
response,
but
it
also
requires
safe
to
be
installed.
C
C
C
If
you
want
to
know
about
know
more
about
the
spta
specifications,
we
also
attached
the
link
for
this
in
sptx
version.
2.2,
okay,
and
if
you
go
back
to
the
sponge
network
xx
refer
to
this
link
to
view
the
full
the
full
spawn,
and
it
appears
here
it
will
download
this
document.
For
you
see,
this
is
a
very
big
document
that
can
now
be
human
readable.
It
has
to
be
machine
learnable
to
generate
automatic
checks,
which
is
also
detected
by
gripe.
C
Okay,
here
in
scanning
response,
we
use
gripe
there
is.
This
is
a
an
example
of
comments
to
to
check
the
s
pawns
from
jinx
x.
If
we
pass
it
to
drive,
it
will
omit
you
the
vulnerable
packages,
that's
detected
with
the
liberty
and
the
installed
version
and
where
it's
fixed,
but
not.
This
is
just
a
note
that
this
is
an
issue
with
the
this
is
an
issue
with
drive
itself,
because
it
was
mentioning
our
own
version.
We
were
not
using.
We
were
not
using
this
one
level.
C
C
C
For
now
also
jenkins
x
is
in
salsa
level
one
and
we
hope
to
achieve
salsa
level
two
by
the
end
of
this
year.
Maybe
so
tikton
integration
effect
on
change
integration.
It
will
enable
us
to
reach
salsa
level.
2.,
the
last
thing
we
need
to
do
for
now
is
approximate
implementation
of
the
cncf
secure
software
factory
using
jinxex.
With
this.
C
C
It's
actually
because
it's
more
verbose
for
us-
and
it's
it
includes-
is
a
comparison-
is
made
in
the
blog
post,
but
in
a
short
answer.
It's
more
verbose
for
us
and
more
suitable
for
our
use
case,
because
the
package,
information
and
file
information
is,
is
more
acceptable
to
gripe
and
great
for
vulnerable
protections.
D
So
so
you
know
like
the
reason
we
did.
That
was
because
shift
by
default
creates.
You
know,
like
s
form
in
you
know,
like
the
spdx,
you
know
the
json
like
format.
So
since
we
are
very
new
to
this,
we
wanted
to.
You
know,
stick
to
you
know
the
defaults
and
then
we
can
see
okay.
So
if
we
want
to
go
to
say
cyclone,
you
know
like
dx
in
the
future
we
can.
We
can
also
do
that,
but
that's
the
reason
so
cool.
D
B
A
A
F
I
think
I
was
asked
to
if
I
could
share
more
detail
right.
I
was
asked
if
I
could
share
more
details
around
what
we
do
internally
at
google
compared
to
salsa,
and
I
looked
into
that
internally.
I
can't
share
more
details.
I
can't
share
the
schema.
What
I
can
say
is
that
what
you're
seeing
in
salsa
is
very
very
much
aligned
with
what
we
do
internally
at
google,
albeit
with
a
different
schema.
A
F
F
What's
your
test
coverage,
do
you
have
a
test
coverage,
a
code
coverage
standard
that
no
no
artifact
goes
to
production
without
a
code
coverage
of
x
percent
as
an
example
or
other
kinds
of
gates
that
may
need
to
be
passed.
Does
your
supply
chain
include
red
green
testing?
Do
you
have
a
canary
analysis
service
that
looks
at
a
new
canary?
Does
it
provide
automatic
rollback
if
there
are
new
problems
that
surface
in
production,
as
part
of
your
automated
rollout
or
is,
is
manual
intervention
required?
F
That
is,
of
course,
going
to
be
called
the
cold
health
project
score,
which
abbreviates
as
chips,
so
that
we
will
have
chips
and
salsa,
and,
having
said
that,
I'm
sure
this
this
proposal
will
be
we'll
get
significant
uptick
in
in
endorsement
and
excitement
from
everyone
in
the
room
by
way
of
prior
art.
I
will
lean
on
some
of
my
internal
google
experience.
You've
heard
me
before
talk
about
the
google
suite
book.
F
Where
we
talk
about
some
of
this,
we
have
all
sorts
of
project
health
metrics
that
we
watch
that
help
us
gauge
this
and
engage
the
health
and
maturity
of
a
project,
and
certainly
there
are
aspects
of
that
that
you
know
google
would
bring
bring
to
this
conversation.
If
people
are
interested
in
this,
so
that's
kind
of
my
introduction,
I'm
interested
in
hearing
from
others
yeah,
you
know
getting
a
sense
of
level
of
interest.
F
F
E
So
I
think
I
think
you
bring
up
a
great
point.
I
think
that
salsa
does
not
cover
everything,
and
so
I
think
one
of
the
things
that
we're
actually
looking
at
in
the
frescar
project
is
basically
having
runtime
attestation
is
also
created.
So,
for
example,
as
the
build
is
getting
built
out
right,
can
you
do
you
know
exactly
what
kind
of
what
the
process
is,
what
the
sys
calls
are
getting
are
getting
run
as
the
actual
as
the
actual
artifact
is
getting
run
right,
so
is
it
reaching
out
to
the
internet?
E
Do
you
expect
it
to
reach
out
to
the
internet
right?
So
are
you
so
capturing
that
kind
of
information
kind
of
gives
you
that
you
can
go
creating
a
separate?
You
know
creating
a
separate
attestation,
that's
separate
from
salsa.
You
have
a
salsa
attestation,
satisfaction
at
the
same
time.
You
have
like
a
run
time
at
a
station
getting
generated
and
you
can
go
back
to
and
refer.
Maybe
you
can
create
policies
based
off
that
newly
generated
attestation.
So
that's
that's.
E
The
other
thing
we're
looking
into
is
having
that
visibility
at
the
runtime
for
the
build
right
so
that
you
can
know
if
it's
reaching
out
to
the
internet.
You
know
if
it's
reaching
out
to
malware.com
for
some.
Whatever
reason
right,
you
don't
expect
that
to
happen.
Then
you
can
you.
Can
you
have
a
record
of
that
happening
and
you
can
go
trace
it
back.
E
G
Listening
to
this,
the
examples
that
you
gave
david,
I
would
call
policies,
that's
what
I've
been
calling
them
internally
around
like
what
it
means
to
be
production,
ready
and
parse.
The
thing
that
you
mentioned
feels
like
a
an
accessory
metric
to
prove
your
salsa
level,
and
so
there's
like
an
interesting
hierarchy
of
the
validate
that
you
really
didn't
contact.
The
internet
feels
underneath
the
salsa.
Please
don't
contact
the
internet
to
be
salsa,
4.
G
F
Yeah
justin
at
google,
depending
on
the
the
project
involved,
these
may
or
may
not
be
policies,
we
start
with
them
as
measures
and
metrics,
and
so
we
have
so.
You
can
imagine
that
one
project
might
be
satisfied
with
a
project
health
score
of
two,
whereas
some
other
project
might
need
to
be
at
five
or
seven
or
whatever.
It
is,
and
we've
sort
of
got
a
whole
lot
of
different
metrics
and
different
projects,
decide
which
metrics
are
relevant
to
them
and
thereby
decide
which
policies
they
want
to
see
enforced.
F
E
And
I
agree
with
what
you
were
saying:
justin
like
it
is
definitely
like
it's
an
indicator
of
how
far
you
are
with
on
the
salsa
scale
right,
and
I
think
it's
it's
one
of
those
things
that
gives
you
more
information
that
gives
you
you
can
make
better
informed
decisions
like
hey.
Yes,
I
am
at
salsa
level
four,
because
my
runtime
attestation
is
also
proving
that
you
know
that
that
that
I
am
at
that
level.
G
F
G
F
Absolutely
chips:
we
do
this
kind
of
thing
in
in
some
of
our
google
cloud
products.
Absolutely
so
as
a
simple
example
of
that
can
any
single
engineer,
access,
user
user
data
in
this
application
or
is
user
data?
Does
user
data
require
multiple
approvals
in
order
to
gain
access?
Just
like
you
would
have
in
salsa?
Does
a
pr
require
require
approval,
require
multiple
approvals,
same
sorts
of
measures.
C
A
Yeah
an
example
f
from
past
experiences.
This
was
how
the
events
discussions
started
like
few
years
ago
under
suspicion,
rescue
interpretability
few
people
who
were
interested
to
work
on
events
in
a
more
focused
manner
created
the
work
stream
under
the
special
telescope
interviewed.
So
that
is
an
option
which
we
have
a
previous
experience
with
that.
A
So
if
you
want
david
and
if
others
are
interested,
you
could,
you
know,
form
a
work
stream
under
supply
chain
stick,
then
you
work
with
these
things
and
over
time
it
could,
you
know,
turn
into
its
own
project
or
what
they
were
like.
How
c
difference
was
created.
So
we
just
you,
know,
lead
the
topic
and
then
now
we
help
you
get
going.
F
Okay,
so
I
think
what
I'm
gonna
do
for
now
is
just
put
in
the
agenda
a
call
to
action.
Anyone
who's
interested
can
contact
me
on
slack
and
we'll
look
to
sort
of
get
a
first
meeting
of
interested
parties
and
and
and
figure
out
how
we
want
to
proceed
or
for
that
matter.
If
we
want
to
proceed
frankly,.
A
F
F
C
So
so,
which
we
reached
for
this
investigation
that
s
bombs
is
not
always
considered
as
a
metadata,
it's
just
a
whole
new
document.
Maybe
I
don't
know
if
it's
actually
can
be
uploaded
with
the
image
layer
as
a
separate
document,
but
if
it's
metadata
it
can
be
stored
in
the
same
image,
but
it's
not
specifically
admitted
that
it's
just
a
whole
separate
document
that
gets
that
we
want
to
be
uploaded
in
the
same
artifact
repository
okay.
So
it's
it's
not
just
it's
not
just
a
metadata.
C
It
can
be
considered
as
a
as
a
json
file.
Actually
spdx
solution
rate
is
spd-x,
json
format,
so
we
checked
and
we
searched
for
open
source
tools.
This
is
actually
a
tool
used
by
microsoft
or
us,
which
is,
we
spoke
about
earlier,
a
cncf
sent
project
sandbox
projects,
so
it
was,
and
we
tried
it
with
another
document,
and
it
worked
so
for
us.
C
So
this
is
why
we
didn't
store
it
in
metadata
format,
because
it's
it's
a
separate
document
and
the
also
you
can
like
you
want
to
upload
like
different
different
formats
of
the
same
spom.
How
you
can
do
this
is
a
metadata
if
we,
if
we
decided
to
generate
the
spdx
and
cycling
gx
and
sw
iet
tag,
I
think
storing
them
as
a
metadata.
That
may
be
a
broker
for
us.
I
don't
know
if
this
has
another
workaround
or
another
solution,
but
this
is
the
solution.
We
feel
more
convenient
for
our
use
case.
F
You
can
also
store
alongside
the
artifact
for
docker
containers
and
oci
bundles.
You
can
store
the
information
in
the
tecton
cluster.
Typically,
there
are
a
bunch
of
options
there
in
chains,
with
the
exception
of
oci
bundles,
to
store
alongside
the
artifact
itself.
Those
are
those
are
artifact,
agnostic,
they're,
simply
storage
locations.
The
approach
we're
doing
on
google
cloud
platform
is
that
this
information
should
all
be
centralized
and
therefore
it's
in
the
artifact
analysis
api.