Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News KubeEdge Achieves SLSA Level 3 Compliance

KubeEdge Achieves SLSA Level 3 Compliance

KubeEdge, a CNCF incubating project, recently met the Supply Chain Levels for Software Artifacts (SLSA) Level 3 compliance. SLSA 3 certifies the end-to-end security of KubeEdge's software supply chain process, ensuring that binary and container image artifacts are protected from malicious tampering.

KubeEdge Special Interest Group(SIG)-Security announced the compliance via a community post on the CNCF blog. SLSA is a security framework and checklist of standards that enhance the integrity of software artifacts, safeguarding them against unauthorized modifications and common supply chain attacks, from source code build to release. SLSA is currently in alpha, and the level three and four requirements are subject to change.

The introduction of vulnerabilities into a supply chain can be initiated by any software. As a system becomes more intricate, it is crucial to establish checks and implement best practices beforehand to ensure artifact integrity. SLSA describes the known attack points in software supply chains via the below diagram:

Source: KubeEdge! CNCF’s First SLSA 3 Project

KubeEdge currently satisfies the Source, Build, and Provenance requirements for level three SLSA compliance.

For build-related compliance, KubeEdge uses GitHub scripts to automatically execute its build processes. These scripts are stored in the ".github/workflows" directory as definition and configuration files and are implemented using GitHub Actions. This build service provides traceability and verifiability of build steps, an isolated and ephemeral build environment, and protection against tampering with build parameters and dependencies.

Provenance refers to the build metadata that provides evidence of the software build and release execution process, which can be authenticated. This metadata includes build steps, build sources, and dependencies, such as source code repositories, code branches, and configuration files. To comply, KubeEdge builds and releases artifacts — including binary files and container images — through a version release process that integrates slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml and slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml, which are contained in .github/workflows/release.yml.

As a side, SLSA released their first major update post June 2021 - SLSA v1.0 RC1 Specification. The highlight of this update is the division of SLSA into multiple tracks, each comprising a distinct set of levels that evaluate a specific aspect of software supply chain security. 

In other news, we also saw a YCombinator post introducing Chainloop, an open-source software supply chain control plane. Using Chainloop, SecOps teams can restore security compliance, visibility, standardization, and control. The developers can ensure compliance with minimal friction and effort.

To know more about SLSA, interested readers can head over to the SLSA community page. To get involved with KubeEdge, readers can follow the official GitHub page.

About the Author

Rate this Article