SLSA Level 1 compliance for Istio Release Process #42517
Assignees
Labels
area/test and release
kind/enhancement
lifecycle/staleproof
Indicates a PR or issue has been deemed to be immune from becoming stale and/or automatically closed
Comments
|
/cc |
|
@puerco let us know once the prow support is in place for tejolote. Another option is https://github.com/testifysec/witness , have you explored? |
|
cc @fkautz |
|
knative/test-infra#3748 seems to be a good start for us, as this has prow integration. I will try this out and see how it goes |
|
Looks like SLSA checklist has been updated: https://slsa.dev/spec/v1.0/whats-new |
istio-policy-bot
added
the
lifecycle/stale
|
/not stale |
istio-policy-bot
removed
the
lifecycle/stale
ericvn
added
the
lifecycle/staleproof
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature request
SLSA is a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. The objective of this issue is to track the progress of Istio Release Process to achieve SLSA Level 1 compliance. While most of the things seem to be already in place for Level 1 compliance, what is missing is a provenance attestation.
https://github.com/kubernetes-sigs/tejolote seems to be coming up with a provenance attestation framework which is soon going to support prow as well. It would be a good choice to add the attestation for Istio.
The compliance checklist for SLSA for Istio is tracked here.
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[X] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
The text was updated successfully, but these errors were encountered: