GitHub has announced the general availability of Artifact Attestations, a new feature aimed at improving security in the software supply chain. With over 100 million developers using GitHub, the company aims to provide tools that protect the integrity of software from its source code to its final distribution.
Artifact Attestations allows project maintainers to easily create an immutable and verifiable audit trail that links software to its build instructions and source code. Consumers of the generated metadata can use it to perform new security checks and validation using tools like Rego and Cue. Initially, verification is done through GitHub CLI, but there are plans to extend this verification to the Kubernetes ecosystem later this year.
The functionality is based on Sigstore, an open-source project that handles the signing and verification of software artifacts. This allows open-source project maintainers to reduce their exposure to supply chain attacks and improve the overall software ecosystem security, regardless of where the code is stored or the artifacts are built.
The Artifact Attestations user experience has been designed to be as simple as possible, requiring only the addition of some YAML to the GitHub Actions workflow and the installation of GitHub CLI for verification.
The new tool is particularly useful for creating a Software Bill of Materials (SBOM), which is essential for software transparency and security. The attest-sbom action allows linking a generated SBOM with a final artifact, signing it, and sending it to the attestation store.
Artifact Attestations simplifies the complexity of managing Public Key Infrastructures (PKI) by relying on the security of the user’s GitHub account. The tool creates a document signed with a pair of temporary keys, where the public key is associated with a certificate issued by a build system working identity.
GitHub has established its own root certificate authority to allow artifact signing in GitHub Actions and verification anywhere, even offline. This eliminates the need to manage PKI infrastructure or handle secrets that can be leaked or lost.
The new functionality is designed to operate in both public and private repositories. In public repositories, attestations will be written to the public instance of Sigstore, while in private repositories, attestations will be stored in an internal GitHub database, ensuring the privacy of the information.
Provenance alone does not guarantee the security of artifacts or the build process, but it does provide tamper-proof assurance that the executed artifact is the same as the one that was built, which can prevent many attack vectors. The functionality creates an immutable audit trail, linking an artifact to a specific GitHub Actions workflow.
GitHub remains committed to offering high security standards for both enterprise customers and the open-source community. Artifact Attestations is just the beginning, with future improvements planned to include support for Kubernetes and additional artifact types.
For those interested in learning more about how GitHub can simplify the process of secure code shipping, the company invites you to attend GitHub Universe 2024, where research and best practices in developer-centric security will be explored.
GitHub has once again demonstrated its commitment to democratizing artifact integrity and software supply chain security, making it easier for developers and organizations to keep their projects secure with familiar and accessible tools.
Referrer: MiMub in Spanish
