tapestry

Supply Chain Security Platform

Supply Chain Security

Supply Chain security is something that started driving me since 2019. When I designed Gitsecure – our DevSecOps solution, it already had support for SBOM reporting. Then as we started using Tekton as a primary technology for implementing our CICD pipelines, how do we build trust in these pipelines ? I started mentoring one Cloud course project at Boston University during Fall’20 to explore the idea further. Then, in early 2021, I came across a wonderful project, i.e. tekton/chains that was trying bring trust and attestation into our pipelines. I believe, pipeline security is much broader in scope. I gave a talk at Cloud-native Security Con at Kubecon’NA 21 to elaborate on this. There are few open-source initiatives I started to address this area to bring signing/verification to pipelines [tapestry-pipelines], admission checks before executing pipelines [tkn-admcontroller], building canonical representation of tekton resources to intoto [tkn-intoto-formatter].

This is an evolving area and we need to address it from multiple vantage points, including build security, dependency validations, code security, runtime verifications and attestation pedigree for auditing.

References

CrossPlane Community Day Kubecon’EU 21]

Cloud-Native Security Con Kubecon’NA 21]

TheNewStack - Pipeline Security]

TheNewStack - Orion SBOM]

IBM Cloud Podcast on DevSecOps and SupplyChainSecurity