To continue efforts to improve the security of our graduated and incubating projects, we recently worked with Chainguard to assess the software supply chain security practices of two of our graduated projects, Argo and Prometheus.
These efforts build on the security work we have been doing with independent security audits with OSTIF and fuzzing audits with ADA Logics and address a crucial aspect of security health in the software supply chain.
The assessments of Argo and Prometheus were based on Supply-chain Levels for Software Artifacts (SLSA), which provides a framework for software supply chain integrity. SLSA is housed under the Open Source Security Foundation (OpenSSF) and details standards and technical controls that can be adopted to improve artifact integrity and build resilient systems.
One of the most important aspects of SLSA is the existence of a provenance document. Provenance documents go beyond artifact signatures by demonstrating how a software artifact is built and what dependencies it contains. This helps to prevent artifacts from being tampered with and tampered artifacts from being used.
“As we’ve continued to see an increase in frequency and severity of attacks across the software supply chain, we felt it was more important than ever to ensure our projects are taking steps to continuously improve their security practices with SLSA” said Chris Anisczyck, CTO, CNCF.
Results
Argo
Argo is a collection of tools for getting work done with Kubernetes. The project graduated in December 2022.
The assessment focused on ArgoCD, a GitOps continuous delivery tool for Kubernetes.
The Chainguard assessment team concluded that the source, build, and provenance portions of the Argo CD supply chain all achieved SLSA level 3. This means that the ‘source and build platforms meet specific standards to guarantee the auditability of the source and the integrity of the provenance, respectively.’ More generally, it shows that a system’s builds are fully trustworthy, build definitions come from the source, and the system has a hardened CI. At the time of the audit, the maintainers were improving their SLSA levels by adding provenance and signing throughout release objects.
The full ArgoCD SLSA Assessment Report is available here.
Prometheus
Prometheus is one of CNCF’s most widely used projects and provides a cloud native monitoring system and time series database.
The assessment of Prometheus yielded SLSA Level 3 for both Source and Build sections. However, the audit did not find provenance for the published artifacts, which resulted in SLSA Level 0 for Provenance. The Chainguard assessment team recommended that the Prometheus maintainers implement provenance generation within the Prometheus build infrastructure and throughout the projects under the Prometheus umbrella.
The full Prometheus SLSA Assessment Report is available here.
The audits were based on version 0.1 of SLSA, which emphasizes a set of software supply chain security practices that deal with source code, the build process, and provenance. Further information on the 0.1 SLSA specification can be found here: https://slsa.dev/spec/v0.1/requirements. At the time of writing, a SLSA 1.0 specification has been announced.