feat: Generate SLSA provenance for operator images#602
Conversation
2620667 to
f54ae0c
Compare
|
The slsa-verifier responds with "FAILED: SLSA verification failed: no matching attestations" for the example above. |
Ah that's right, I built a new version of SecObserve in the meantime and the old image was garbage collected. I updated the hash. |
Release noteSLSA build provenance: All Stackable container images, both product images and operator images, are now published with SLSA build provenance attestations. The provenance is generated with the slsa-github-generator trusted builder, meeting the requirements of SLSA Level 3, and is signed keylessly and attached to the images in our OCI registry. This allows you to cryptographically verify that an image was built by Stackable's CI from the published source code. Check out the new provenance verification guide in our docs for details. |
Bumped
stackabletech/actionsfrom v0.15.0 to v0.16.0 so the digest output is provided.Add
provenance-ociandprovenance-quayjobs to the templated build workflow. Both call the slsa-github-generator container workflow against the multi-arch image index digest published to each registry, attaching signed SLSA build provenance to the image.Optional extra information, feel free to ignore:
I added SLSA provenance to our fork of SecObserve already in a similar fashion, here is the workflow run:
https://github.com/stackabletech/SecObserve/actions/runs/28184881580
Here is an example of how to manually inspect the SLSA provenance attestation for an image:
Or using slsa-verifier:
It's basically a signed JSON document that provides a ton of metadata about the image build. The attestation is done by an isolated job that runs
https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_container_slsa3.yml, so it's an independent "witness" that can't be manipulated (this means we achieve SLSA level 3). Luckily it's pretty easy to do since we use GitHub actions.