feat(slsa/provenance)[SEC-1079]: Add cloudsmith links for mesh slsa a…

…ssets

app/_src/mesh/features/index.md

@@ -62,14 +62,14 @@ You can [install {{site.mesh_product_name}} on Windows](/mesh/{{page.release}}/i
 
 ## Docker container image signing
 
-Starting with {{site.mesh_product_name}} 2.7.0, Docker container images are signed, and can be verified using `cosign` with signatures published to a Docker Hub repository. Read the [Verify signatures for Signed Mesh Images](/mesh/{{ page.release }}/features/signed-images/) documentation to learn more.
+Starting with {{site.mesh_product_name}} 2.7.4, Docker container images are signed, and can be verified using `cosign` with signatures published to a Docker Hub repository. Read the [Verify signatures for Signed Mesh Images](/mesh/{{ page.release }}/features/signed-images/) documentation to learn more.
 {% endif_version %}
 
 {% if_version gte:2.7.x %}
 
 ## Build provenance
 
-Starting with {{site.mesh_product_name}} 2.7.0, {{site.mesh_product_name}} produces build provenance for Docker container images and binaries and can be verified using `cosign` / `slsa-verifier`.
+Starting with {{site.mesh_product_name}} 2.7.4, {{site.mesh_product_name}} produces build provenance for Docker container images and binaries and can be verified using `cosign` / `slsa-verifier`.
 
 * Read the [Verify Build Provenance for Signed Mesh Images](/mesh/{{ page.release }}/features/provenance-verification-images/) to learn more.
 * Read the [Verify Build Provenance for Signed Mesh Binaries](/mesh/{{ page.release }}/features/provenance-verification-binaries/) to learn more.

app/_src/mesh/features/provenance-verification-binaries.md

@@ -3,7 +3,7 @@ title: Verify Build Provenance for Kong Mesh Binaries
 badge: enterprise
 ---
 
-Starting with 2.7.0, {{site.mesh_product_name}} produces build provenance for binary artifacts, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.
+Starting with 2.7.4, {{site.mesh_product_name}} produces build provenance for binary artifacts, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.
 
 This guide provides steps to verify build provenance for signed {{site.mesh_product_name}} binary artifacts in two different ways:
 
@@ -19,6 +19,9 @@ For the complete example, you need the same details as the minimal example, as w
 | `<repo>` | GitHub repository | `kong-mesh` |
 | `<workflow name>` | GitHub workflow name | `build-test-distribute` |
 | `<workflow trigger>` | Github workflow trigger name | `push` |
+| `<version>` | Artifact version to download | `2.7.4` |
+| `<binary-files>` | Compressed binary files for the specified version | `kong-mesh-<version>-*-*.tar.gz` |
+| `<provenance-file>` | Binary provenance file | `kong-mesh.intoto.jsonl` |
 
 Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for binary artifacts, which is why many of these details are GitHub-related.
 
@@ -30,9 +33,15 @@ For both examples, you need to:
 
 1. Ensure `slsa-verifier` is installed.
 
-2. [Download binary artifacts]() of {{site.mesh_product_name}}
+2. [Download security assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets*+version%3A%3E%3D2.7.4) for the required version of {{site.mesh_product_name}} binaries 
 
-3. [Download provenance file for binary artifacts]() of {{site.mesh_product_name}}
+3. Extract the downloaded `security-assets.tar.gz` to access the provenance file `kong-mesh.intoto.jsonl`
+
+   ```sh
+   tar -xvzf security-assets.tar.gz
+   ```
+
+4. [Download compressed binaries](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Akong-mesh-*+version%3A%3E%3D2.7.4) for the required version  of {{site.mesh_product_name}}
 
 {:.important .no-icon}
 > The GitHub owner is case-sensitive (`Kong/kong-mesh` vs `kong/kong-mesh`).
@@ -46,19 +55,19 @@ Run the `slsa-verifier verify-artifact...` command:
 ```sh
 slsa-verifier verify-artifact \
    --print-provenance \
-   --provenance-path '<path to binary-provenance-file>' \
+   --provenance-path '<provenance-file>' \
    --source-uri 'github.com/Kong/<repo>' \
-   '<path to binary-artifact>.tar.gz'
+   <binary-files>
 ```
 
-Here's the same example using sample values instead of placeholders where the download path is assumed to `/tmp`:
+Here's the same example using sample values instead of placeholders:
 
 ```sh
 slsa-verifier verify-artifact \
    --print-provenance \
-   --provenance-path '/tmp/<binary-provenance-file>.intoto.jsonl' \
-   --source-uri 'github.com/Kong/<repo>' \
-   '/tmp/<binary-artifact>.tar.gz'
+   --provenance-path 'kong-mesh.intoto.jsonl' \
+   --source-uri 'github.com/Kong/kong-mesh' \
+   kong-mesh-2.7.4-*-*.tar.gz
 ```
 
 The command will print "Verified SLASA provenance" if successful:
@@ -77,19 +86,19 @@ Run the `slsa-verifier verify-artifact ...` command:
 ```sh
 slsa-verifier verify-artifact \
    --print-provenance \
-   --provenance-path '<path to binary-provenance-file>' \
+   --provenance-path '<provenance-file>' \
    --source-uri 'github.com/Kong/<repo>' \
-   --source-tag '<release-tag-version>' \
-   '<path to binary-artifact>.tar.gz'
+   --source-tag '<version>' \
+   <binary-files>
 ```
 
-Here's the same example using sample values instead of placeholders where the download path is assumed to `/tmp`:
+Here's the same example using sample values instead of placeholders:
 
 ```sh
 slsa-verifier verify-artifact \
    --print-provenance \
-   --provenance-path '/tmp/<binary-provenance-file>.intoto.jsonl' \
-   --source-uri 'github.com/Kong/<repo>' \
-   --source-tag '2.7.0' \
-   '/tmp/<binary-artifact>.tar.gz'
+   --provenance-path 'kong-mesh.intoto.jsonl' \
+   --source-uri 'github.com/Kong/kong-mesh' \
+   --source-tag '2.7.4' \
+   kong-mesh-2.7.4-*-*.tar.gz
 ```

app/_src/mesh/features/provenance-verification-images.md

@@ -3,7 +3,7 @@ title: Verify Build Provenance for Signed Kong Mesh Images
 badge: enterprise
 ---
 
-Starting with 2.7.0, {{site.mesh_product_name}} produces build provenance for docker container images, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.
+Starting with 2.7.4, {{site.mesh_product_name}} produces build provenance for docker container images, which can be verified using `cosign` / `slsa-verifier` with attestations published to a Docker Hub repository.
 
 This guide provides steps to verify build provenance for signed {{site.mesh_product_name}} Docker container images in two different ways:
 
@@ -22,6 +22,7 @@ For the complete example, you need the same details as the minimal example, as w
 | `<repo>` | GitHub repository | `kong-mesh` |
 | `<workflow name>` | GitHub workflow name | `build-test-distribute` |
 | `<workflow trigger>` | Github workflow trigger name | `push` |
+| `<version>` | Artifact version to download | `2.7.4` |
 
 Because Kong uses GitHub Actions to build and release, Kong also uses GitHub's OIDC identity to generate build provenance for container images, which is why many of these details are GitHub-related.
 
@@ -70,7 +71,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify-attestation \
-   'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
+   'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
    --type='slsaprovenance' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
@@ -99,9 +100,9 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 slsa-verifier verify-image \
-   'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
+   'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
    --print-provenance \
-   --source-uri 'github.com/kumahq/kuma'
+   --source-uri 'github.com/Kong/kong-mesh'
 ```
 
 The command will print "Verified SLASA provenance" if successful:
@@ -132,11 +133,11 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify-attestation \
-   'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
+   'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
    --type='slsaprovenance' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
-   --certificate-github-workflow-repository='kumahq/kuma' \
+   --certificate-github-workflow-repository='Kong/kong-mesh' \
    --certificate-github-workflow-name='build-test-distribute' \
    --certificate-github-workflow-trigger='push'
 ```
@@ -150,15 +151,15 @@ slsa-verifier verify-image \
    <image>:<tag>@sha256:<manifest_digest> \
    --print-provenance \
    --source-uri 'github.com/Kong/<repo>' \
-   --source-tag '<release-tag-version>'
+   --source-tag '<version>'
 ```
 
 Here's the same example using sample values instead of placeholders:
 
 ```sh
 slsa-verifier verify-image \
-   'kumahq/kuma-cp:2.7.0-testprov@sha256:865d9e92fe793d827f20e3c84ff20630a994ae21701ef8b1342bd5418de946eb' \
+   'kong/kuma-cp:2.7.4@sha256:<manifest_digest>' \
    --print-provenance \
-   --source-uri 'github.com/kumahq/kuma' \
-   --source-tag '2.7.0-testprov'
+   --source-uri 'github.com/Kong/kong-mesh' \
+   --source-tag '2.7.4'
 ```

app/_src/mesh/features/signed-images.md

@@ -3,7 +3,7 @@ title: Verify Signatures for Signed Kong Mesh Images
 badge: enterprise
 ---
 
-Starting with {{site.mesh_product_name}} 2.7.0, Docker container images are now signed using `cosign` with signatures published to a Docker Hub repository.
+Starting with {{site.mesh_product_name}} 2.7.4, Docker container images are now signed using `cosign` with signatures published to a Docker Hub repository.
 
 This guide provides steps to verify signatures for signed {{site.mesh_product_name}} Docker container images in two different ways:
 
@@ -56,7 +56,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify \
-   'kong/kuma-cp:2.7.0-preview.v579166351@sha256:4382a3879994a08df804e0007431907d014f9d4899efb4fb5cedf292f14e6a4a' \
+   'kong/kuma-cp:2.7.4-preview.v6b466331d@sha256:76d59540e50c4bb1d6c5f33bc7aaf03add74f97e7efcb416a04d7fde86e86d0c' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml'
 ```
@@ -76,7 +76,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify \
-   'kong/kuma-cp:2.7.0-preview.v579166351@sha256:4382a3879994a08df804e0007431907d014f9d4899efb4fb5cedf292f14e6a4a' \
+   'kong/kuma-cp:2.7.4-preview.v6b466331d@sha256:76d59540e50c4bb1d6c5f33bc7aaf03add74f97e7efcb416a04d7fde86e86d0c' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/Kong/kong-mesh/.github/workflows/kuma-_build_publish.yaml' \
    -a repo='Kong/kong-mesh' \

app/_src/mesh/sbom.md

@@ -5,8 +5,20 @@ toc: false
 
 A software bill of materials (SBOM) is an inventory of all software components (proprietary and open source), open source licenses, and dependencies in a given product. A software bill of materials (SBOM) provides visibility into the software supply chain and any license compliance, security, and quality risks that may exist.
 
-Starting in {{site.mesh_product_name}} 2.7.0, we are generating SBOMs for our artifact images and binaries.
-You can learn more about this from our software bill of materials knowledge base page:
+Starting in {{site.mesh_product_name}} 2.7.4, we are generating SBOMs for {{site.mesh_product_name}} and docker container images.
 
-* [{{site.mesh_product_name}} 2.7.0 SBOM](https://support.konghq.com/support/s/article/SBOM-Artifacts-for-Kong-Mesh-2.7.0).
-* [{{site.mesh_product_name}} 2.8.0 SBOM](https://support.konghq.com/support/s/article/SBOM-Artifacts-for-Kong-Mesh-2.8.0).
+1. Download the security assets for the required version of {{site.mesh_product_name}}
+
+   * [2.7.4 Security Assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets+version%3A2.7.4)
+   * [2.8.0 Security Assets](https://cloudsmith.io/~kong/repos/kong-mesh-binaries-release/packages/?q=name%3Asecurity-assets+version%3A2.8.0)
+
+2. Extract the downloaded `security-assets.tar.gz`
+
+    ```sh
+    tar -xvzf security-assets.tar.gz
+    ```
+
+3. Access the below SBOMs:
+
+   * `sbom.spdx.json` and `sbom.cyclonedx.json` are the SBOM files for {{site.mesh_product_name}}
+   * `image_<image_name>-*.spdx.json` and `image_<image_name>-*.cyclonedx.json` are the SBOM files for Docker Container Images of {{site.mesh_product_name}}