DEV Community

Cover image for Build and sign application containers
Kamesh Sampath
Kamesh Sampath

Posted on • Originally published at developer.harness.io

Build and sign application containers

Overview

Open Source software has been heart of every software development model. With its increased usage means the software the are built are susceptible to threats and vulnerabilities.

What is the Supply Chain problem ?

Supply Chain problem is how and where vulnerabilities are introduced into the software supply chain. It is usually introduced at Source or Dependencies level and gets seeped into the software artifact consumed by the end user a.k.a the Consumer.

The threats could be introduced at two levels which forms the basis of software integrity,

  • Source Integrity

    • Compromised Source Repo
    • Unauthorised Source Code change
  • Build Integrity

    • Build from modified source
    • Compromise build process
    • Use compromised dependency
    • Upload modified package
    • Compromise package repo
    • Use compromised package

SLSA

The Supply chain Levels Software Artifact(SLSA) puts a security framework in place that each software build can follow, ensuring the integrity of the built artifact.

There are four Levels of maturity in SLSA,

Level Description Example
1 Documentation of the build process Continuous Integration(CI)
2 Tamper resistance of the build service Hosted source/build
3 Extra resistance to specific threats Security controls on host
4 Highest levels of confidence and trust Two-party review + hermetic builds

As with any process, maturing with SLSA levels is a continuous improvement process. As part of the blog and a simple tutorial using Harness Platform, which will allow us to document our build process(SLSA Level 1).

IMPORTANT: All the levels requires us to have build Provenance, since it deserves its own blog post let us revisit it as part of another blog post. If you want to learn about provenance please do visit this great blog.

Tutorial

With containers being the heart of Cloud Native application development, it has become even more critical to ensure the integrity of the containers. One of the ways to do this to sign and verify the container images.sigstore is a open source project that empowers software developers to securely sign the container images.

As part of this tutorial we will,

  • Understand how to build container image, sign/verify the image using sigstore cosign utility
  • Integrate cosign as part of Continuous Integration(CI) using Harness CI.

Summary

Signing alone is not sufficient to ensure the overall security of any software, adopting SLSA and continuous improvement of the build process(SLSA levels) is very critical. By using Harness Platform we documented our build process and also implicitly started to move towards SLSA Level 2 by using a Host source (GitHub) and build(Harness CI).

Top comments (0)