Open Source Summit Europe 2024

In the evolving landscape of software development, ensuring the integrity of build artifacts like container images is crucial. In this talk, we'll demonstrate how to use GitHub's Build Provenance API to generate SLSA attestations and create robust policies for your artifacts, verifying their origin and authenticity. We'll examine the contents and significance of these attestations and discuss how to integrate them into your CI/CD pipelines. Additionally, we'll explore using Minder to monitor and enforce these policies across your repositories, ensuring these attestation practices do not degrade over time. We’ll also show how combining these tools can safeguard even in the event of someone else gaining access and pushing a malicious image to your container registry. By the end of this session, you'll have a good understanding of how open source tools like Sigstore, in-toto, SLSA, TUF, and Minder can collectively strengthen the security of the software supply chain. You'll gain practical insights into setting up artifact attestations with GitHub's API and establishing tailored policies with Minder to protect your development processes against vulnerabilities.