Supply chains security Expectations vs Reality

[lumjjb]

Description: We ask for supply chain best practices, SLSA, SBOMs, all that information.. so as to ask the question - does my software have a secure supply chain? But is that question just a pipe dream? Or can we break it down to tangible questions that we can tackle.

Impact: Being able to provide direction on what policies we want to create will help inform the data we need to produce and inform the models of attestation in the supply chain ecosystems.

Scope: Probably a month's work collecting ideas and writing them down.

Working Doc: https://docs.google.com/document/d/1_7ZDL1TtFEA4dfR3oaaVRLoWNcqthNN5h-G84y4ITkA/edit

Additional info:

• Reference to supporting material
• Links to related site
• Feel free to delete this section if you don't have more info

[JustinCappos]

Happy to contribute here.

[Caze121]

Happy to contribute here as well. We are currently doing this for our organisation as with capability milestones and deliverables along the secure supply chain best practices path.

[PushkarJ]

+1

[mlieberman85]

+1

[spiffcs]

Happy to contribute when we find a leader or organizer for this:

Some examples of policies that came up during the meeting to gate/inform/gather data on:

• How the artifact is built
• Who built it
• Who Approved it to get to x step
• What is the quality <-- (Larger question and sub tree on what metric -- vulnerabilities, secure code, license compliance, etc)
• Generated by which tools <-- Build provenance is also a large tree in and of itself

[nadgowdas]

+1

[jkjell]

I'd be glad to try and organize efforts around this. I've worked with quite a few folks in the thread in the Supply Chain Security working group.

[aks-alokraj]

I would like to contribute here.

[jkjell]

Project Schedule

TODO	Milestone	Estimated time	Actual date
	Audience, Goals, & broad scope	1 week
	Brainstorming & Refining Scope - Table Of Contents	2 weeks
	Tasking Assignment	1 week
	Content Rough-in	2-3 weeks
	Collaborative Review	2 weeks
	Executive Summary and content wrap up	2 weeks
	Narrative Voice	1-2 weeks
	Final Group Review	1 week
	Community Review / Public comment adjudication	2-3 weeks
	CNCF publishing engagement	~2-3 weeks
	Addition to the repo	1 week
	Blog post and publishing coordination	2-3 weeks

[jkjell]

Hello all,

On Thursday, February 16th, we're going to kick off the work for this issue during the CNCF TAG Security - Supply Chain WG meeting (11 am Eastern). The first step will be deciding on the Audience, Goals, & Broad scope. Then we will focus in on establishing the outline before distributing and working through the content sections.

If you have any questions, feel free to comment on the issue, or reach out in the CNCF Slack #tag-security-supply-chain-wg channel.

I hope you can join us!

https://github.com/cncf/tag-security/issues/987

Also sent to TAG Security email list.

[faisalrazzak]

+1

[yuji-watanabe-jp]

I would like to contribute to this topic.

[achetal01]

Will like to join this initiative, interesting work

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

This is tracked by the Supply Chain WG as regular business during their bi-weekly call. For status, see the WG meeting notes.