"GitHub's Artfact Attestations, for guaranteeing the integrity of artifacts built inside the GitHub Actions CI/CD platform, is now generally available. General availability was announced June 25. By using Artifact Attestations in GitHub Actions workflows, developers can improve security and protect against supply chain attacks and unauthorized modifications, GitHub said."
"As part of the announcement, GitHub also introduced the Kubernetes Policy Controller, which lets developers validate attestations directly within Kubernetes as an added layer of security."
"Powered by the Sigstore, an open source project for signing and verifying software artifacts via attestations, Artifact Attestations is intended to secure a software supply chain by creating a link between artifacts and the build process. Adding provenance to a GitHub Actions workflow can be done by invoking the new attest-build-provenance Action with the path to the artifact. This can then be verified using the new gh attestation verify command."
Artifact Attestations is generally available to guarantee the integrity of artifacts built inside the GitHub Actions CI/CD platform. General availability was announced June 25. Artifact Attestations enables developers to improve security and protect against supply chain attacks and unauthorized modifications by adding attestations to workflows. The Kubernetes Policy Controller enables validation of attestations directly within Kubernetes as an added layer of security. Artifact Attestations is powered by Sigstore, an open source project for signing and verifying software artifacts via attestations, and links artifacts to the build process. Provenance is added via attest-build-provenance and verified with gh attestation verify.
#artifact-attestations #github-actions #sigstore #kubernetes-policy-controller #software-supply-chain-security
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]