GitHub is taking a step ahead to assist corporations enhance provide chain safety with the discharge of Artifact Attestations. This new function permits GitHub customers to confirm the integrity of GitHub Actions artifacts earlier than they select to deploy them into their Kubernetes cluster.
Artifacts in GitHub are recordsdata or collections of recordsdata that have been created throughout a workflow run, reminiscent of construct or check output.
Attestations embody a hyperlink to the workflow related to the artifact, together with different related info like its repository, group, setting, commit SHA, and triggering occasion.
In line with GitHub, Artifact Attestations are powered by Sigstore, which is an open supply venture that enables software program artifacts to be signed and verified to advertise higher software program integrity.
Together with this common availability launch, GitHub is also now providing a new method to construct Kubernetes admission controllers that enables builders to validate attestations from inside Kubernetes clusters. In line with GitHub, this ensures that solely correctly validated artifacts get deployed.
“By integrating Artifact Attestations into your GitHub Actions workflows, you improve the safety of your improvement and deployment processes, defending towards provide chain assaults and unauthorized modifications,” GitHub wrote in a weblog put up.
You might also like…
Sonatype shines mild on present state of provide chain safety in newest report
OpenSSF, CISA, and DHS collaborate on new open-source venture for creating SBOMs