feat(slsa/provenance)[SEC-1079]: add to mesh v2.8

Kong · Apr 17, 2024 · cf4e0c5 · cf4e0c5
1 parent 5aa9a9b
commit cf4e0c5
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/app/_data/docs_nav_mesh_2.7.x.yml b/app/_data/docs_nav_mesh_2.7.x.yml
@@ -32,6 +32,11 @@ inherit:
       url: /support-policy/
       action: insert
       index: -3
+    - path: [ Introduction ]
+      text: Software Bill of Materials
+      url: /sbom
+      action: insert
+      index: -3
     - path: [ Introduction, Release notes]
       url: /mesh/changelog
       src: /mesh/changelog

diff --git a/app/_data/docs_nav_mesh_2.8.x.yml b/app/_data/docs_nav_mesh_2.8.x.yml
@@ -32,6 +32,11 @@ inherit:
       url: /support-policy/
       action: insert
       index: -3
+    - path: [ Introduction ]
+      text: Software Bill of Materials
+      url: /sbom
+      action: insert
+      index: -3
     - path: [ Introduction, Release notes]
       url: /mesh/changelog
       src: /mesh/changelog
@@ -158,6 +163,14 @@ inherit:
           url: /features/access-audit
         - text: MeshGlobalRateLimit (beta)
           url: /features/meshglobalratelimit
+        - text: Verify Signatures for Signed Kong Mesh Images
+          url: /features/signed-images
+        - text: Build Provenance
+          items:
+            - text: Verify Build Provenance for Signed Kong Mesh Images
+              url: /features/provenance-verification-images
+            - text: Verify Build Provenance for Signed Kong Mesh Binaries
+              url: /features/provenance-verification-binaries
     - path: [ Reference ]
       action: modify
       icon: /assets/images/icons/documentation/icn-references-color.svg

diff --git a/app/_src/mesh/features/provenance-verification-binaries.md b/app/_src/mesh/features/provenance-verification-binaries.md
@@ -51,7 +51,7 @@ slsa-verifier verify-artifact \
    '<path to binary-artifact>.tar.gz'
 ```
 
-Here's the same example using sample values instead of placeholders where the downoad path is assumed to `/tmp`:
+Here's the same example using sample values instead of placeholders where the download path is assumed to `/tmp`:
 
 ```sh
 slsa-verifier verify-artifact \
@@ -83,7 +83,7 @@ slsa-verifier verify-artifact \
    '<path to binary-artifact>.tar.gz'
 ```
 
-Here's the same example using sample values instead of placeholders where the downoad path is assumed to `/tmp`:
+Here's the same example using sample values instead of placeholders where the download path is assumed to `/tmp`:
 
 ```sh
 slsa-verifier verify-artifact \

diff --git a/app/_src/mesh/sbom.md b/app/_src/mesh/sbom.md
@@ -0,0 +1,12 @@
+---
+title: Software Bill of Materials
+toc: false
+---
+
+A software bill of materials (SBOM) is an inventory of all software components (proprietary and open source), open source licenses, and dependencies in a given product. A software bill of materials (SBOM) provides visibility into the software supply chain and any license compliance, security, and quality risks that may exist.
+
+Starting in {{site.mesh_product_name}} 2.7.0, we are generating SBOMs for our artifact images and binaries.
+You can learn more about this from our software bill of materials knowledge base page:
+
+* [{{site.mesh_product_name}} 2.7.0 SBOM](https://support.konghq.com/support/s/article/SBOM-Artifacts-for-Kong-Mesh-2.7.0).
+* [{{site.mesh_product_name}} 2.8.0 SBOM](https://support.konghq.com/support/s/article/SBOM-Artifacts-for-Kong-Mesh-2.8.0).