A spicy workshop where you will learn about SLSA and how to get started securing your supply chain.
We will sign and verify an app using Cosign in a GitHub workflow.
Several initiatives have been started in an attempt to address the issues surrounding supply chain integrity, the most noticeable one being Supply chain Levels for Software Artifacts - SLSA. SLSA aims to be vendor neutral and is backed by major players like the Cloud Native Computing Foundation and Google in addition to startups such as Chainguard.
Sigstore is a Linux Foundation project which is developing Cosign, a container signing, verification and storage in an Open Container Initiative (OCI) registry, making signatures invisible infrastructure.
Kyverno is a policy engine designed for Kubernetes. With Kyverno, policies are managed as Kubernetes resources and no new language is required to write policies.
In this workshop we will make a practical approach to securing your container applications and verify that the container has not been tampered with since it was built.
- Setting up automated container builds
- Signing containers using sigstore/cosign
- Verifying signed containers using Kyverno
- Working with Kyverno policy reports at scale
The workshop is divided into 4 labs:
- Setting up local environment
- Signing containers locally
- Signing containers in a GitHub workflow
- Verifying signed containers in a Kubernetes cluster
- Working with policies at scale
This project is licensed under the MIT License - see the LICENSE file for details.