Skip to content

187 #192

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 12, 2025
Merged

187 #192

merged 1 commit into from
Oct 12, 2025

Conversation

@RAprogramm
Copy link
Owner

@RAprogramm RAprogramm commented Oct 12, 2025

Summary

Implemented enterprise-grade supply chain security features for the release workflow, including SBOM generation, Sigstore artifact signing, and build provenance attestations.

Changes

SBOM Generation

  • Integrated cargo-cyclonedx for CycloneDX SBOM generation
  • Automated SBOM creation for all published crates
  • SBOM uploaded to GitHub releases for transparency

Artifact Signing

  • Keyless signing using Sigstore/cosign with GitHub OIDC tokens
  • SBOM and crate artifacts signed with tamper-proof signatures
  • Signatures stored in public Rekor transparency log
  • No secret management required

Build Provenance

  • GitHub Actions attestations for build provenance
  • SLSA provenance standards compliance
  • Automated attestation generation for all artifacts

Security Artifact Management

  • Upload signed artifacts to GitHub releases
  • 90-day retention for audit trails
  • Comprehensive security artifact tracking

Benefits

  • Dependency Transparency: SBOM provides complete dependency visibility
  • Supply Chain Security: Cryptographic verification of all artifacts
  • Compliance: SLSA provenance for regulatory requirements
  • Zero Trust: No secret keys required, OIDC-based signing
  • Auditability: Public transparency log for all signatures

Test Plan

  • Workflow YAML validated
  • Local SBOM generation tested with cargo-cyclonedx
  • All tests pass (157 passed)
  • Build succeeds with no errors
  • No regression in existing functionality

Next Steps

  • Workflow will be tested on next release tag
  • Monitor Rekor transparency log for signature verification
  • Consider adding SBOM analysis tooling

Closes #187

@RAprogramm
#187 feat: add supply chain security with SBOM and Sigstore
95ed7ef 
Add enterprise-grade supply chain security features to release workflow:

- SBOM generation using cargo-cyclonedx (CycloneDX format)
- Keyless artifact signing with Sigstore/cosign
- Build provenance attestations via GitHub Actions
- Automated security artifact uploads to releases
- 90-day retention for audit trails

Security features:
- Dependency transparency via SBOM
- Tamper-proof signatures in Rekor transparency log
- No secret management required (OIDC-based signing)
- Compliance with SLSA provenance standards
@RAprogramm RAprogramm merged commit 51f3964 into main Oct 12, 2025
15 checks passed
@RAprogramm RAprogramm deleted the 187 branch October 12, 2025 07:52
@RAprogramm RAprogramm mentioned this pull request Oct 12, 2025
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Phase 3: Add supply chain security (SBOM + Sigstore)

2 participants

@RAprogramm