GitHub is taking a step ahead to assist corporations enhance provide chain safety with the discharge of Artifact Attestations. This new characteristic permits GitHub customers to confirm the integrity of GitHub Actions artifacts earlier than they select to deploy them into their Kubernetes cluster.
Artifacts in GitHub are information or collections of information that had been created throughout a workflow run, resembling construct or check output.
Attestations embody a hyperlink to the workflow related to the artifact, together with different related info like its repository, group, atmosphere, commit SHA, and triggering occasion.
In response to GitHub, Artifact Attestations are powered by Sigstore, which is an open supply challenge that enables software program artifacts to be signed and verified to advertise larger software program integrity.
Together with this normal availability launch, GitHub is also now providing a new manner to construct Kubernetes admission controllers that enables builders to validate attestations from inside Kubernetes clusters. In response to GitHub, this ensures that solely correctly validated artifacts get deployed.
“By integrating Artifact Attestations into your GitHub Actions workflows, you improve the safety of your improvement and deployment processes, defending towards provide chain assaults and unauthorized modifications,” GitHub wrote in a weblog publish.
You may additionally like…
Sonatype shines gentle on present state of provide chain safety in newest report
OpenSSF, CISA, and DHS collaborate on new open-source challenge for creating SBOMs
