Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suboptimal supply chain security for the project #4349

Open
R3DRUN3 opened this issue Feb 19, 2024 · 0 comments
Open

Suboptimal supply chain security for the project #4349

R3DRUN3 opened this issue Feb 19, 2024 · 0 comments
Assignees
@g1eny0ung

Comments

@R3DRUN3
Copy link

R3DRUN3 commented Feb 19, 2024
edited

Feature Request

Is your feature request related to a problem? Please describe:
At its current state, the project exhibits suboptimal supply chain management in the CI pipeline.
The generated OCI images for chaos-mesh are neither signed nor attested.

Describe the feature you'd like:
The proposed solution suggests minimal adherence to industry best practices, by signing and attesting the images (cosign) using their SBOM as a predicate.

Teachability, Documentation, Adoption, Migration Strategy:
Main benefits of the proposed solution are:

  1. Certify both image and SBOM provenance.
  2. Have the SBOM available in the same registry as the image, enabling effortless downloading for all users.
  3. Implementing specific admission policies with tools such as Kyverno and Sigstore Policy Controller.

For an implementation reference on GitHub Actions, please refer to this.
@g1eny0ung g1eny0ung self-assigned this Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@g1eny0ung g1eny0ung

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@g1eny0ung @R3DRUN3