Replies: 2 comments
-
For auditing build attestations, a high priority task is to save the logs for jobs which have a build attestation on rekor. |
Beta Was this translation helpful? Give feedback.
0 replies
-
We have the same problem in two projects. We can't switch to github because the retention period is limited. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Select Topic Area
Bug
Body
Summary:
Github Actions logs are deleted after three months. This reduces transparency and auditability of CI/CD jobs. This is a software supply chain security problem.
Attack model:
An attacker subverts a CI or a CD job. The attack may leave traces in the logs. If the attack goes undetected for three months, all traces are deleted and the attacker is safe. It is impossible to audit automated package releases from the past.
Mitigation:
Github should keep the logs of all CI/CD jobs, or at least all of them in repos which are deployed to package repositories such as NPM/Pypi/Maven/Dockerhub/etc.
Beta Was this translation helpful? Give feedback.
All reactions