SLSA 3 compliance

[nyrahul]

Feature Request

Proposed by Google, SLSA (Supply Chain Levels for Software Artifacts) is a security framework and a check-list of standards and controls to prevent tampering, improve software supply chain integrity, and secure software packages and infrastructure in projects, businesses or enterprises. It is not a single tool, but a step-by-step outline to prevent artifacts from being tampered with and tampered artifacts from being used, and at the higher levels, to strengthen the platforms that make up a supply chain. Manufacturers follow the SLSA guidelines to safeguard their software, and users make decisions based on the security status of software packages.

KubeArmor is a security engine, thus it is imperative that it follows all the best practices of the supply chain methods. KubeArmor has already begun the journey by ensuring that the generated container images are signed and can be verified using cosign.

Tasks Involved

• Understand SLSA 3 requirements
• Fulfill the checklist for SLSA 3 requirement. Identify the gaps
• Create issues to handle the gaps
• Track to closure the gaps and update the checklist.

Reference
Check how KubeEdge got the SLSA 3 compliance handled and follow a similar strategy.