Skip to content

An example approach to securing containerized workloads within AKS using Notation.

License

Notifications You must be signed in to change notification settings

microsoft/secure-software-supply-chain-on-aks

Repository files navigation

Assure workload integrity in AKS with secure software supply chain

Open in GitHub Codespaces Open in Dev Container

Overview

This repo offers a step-by-step guide on how to establish centralized control for risk management by creating software supply chain components and employing policies. This walkthrough covers the following aspects of the secure software supply chain:

  • Generation of the software bill of materials (SBOM) by analyzing source code, dependencies, and container image packages using Microsoft's SBOM tool.
  • Production of vulnerability reports using Aquasec's Trivy.
  • Signing of both the container image and security artifacts using Notation.
  • Bundling of the signatures, security artifacts, and container image (the software release) using ORAS .
  • Enforcement of policies through Gatekeeper and Ratify as part of the admission control process.

Architecture

The following architecture will be provisioned and configured upon successful completion of the walkthrough. For a more detailed breakdown see provisioned infrastructure.

Solution infrastructure, described further on the page linked above

Getting started

Fork repository

This walkthrough requires the user have certain permissions at the repository level. Fork the repository and work within the fork to make sure all steps can be performed.

Walkthrough environment

It is highly recommended to leverage the supplied Visual Studio Code development container or GitHub Codespaces when working with this walkthrough. The devcontainer, which is also used by Codespaces, includes all the required tooling with no additional steps or configuration.

If not utilizing the devcontainer or Codespaces, review the list of required utilities and verify each is installed and configured.

Pipeline options

When working with this walkthrough, there are two pipeline options for building images and artifacts: Azure Pipelines and GitHub Actions. Each option requires a slightly different configuration.

Please ensure the walkthrough environment is up and running before continuing with either pipeline option.

Starting with the desired pipeline option, this guide is composed of five steps:

  1. Infrastructure configuration
  2. Inspect container images and artifacts
  3. Policy definition and assignment
  4. Workload deployment and policy enforcement
  5. Teardown

Continue with Azure Pipelines

Continue with GitHub Actions

Additional references

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.