Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas.
This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.
15. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
16. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
20. Grafeas: Deployment Note
// An artifact that can be deployed in some runtime.
message DeploymentNote {
// Required. Resource URI for the artifact being deployed.
repeated string resource_uri = 1;
}
21. Grafeas: Deployment Occurrence
// The period during which some deployable was active in a runtime.
message DeploymentOccurrence {
// Identity of the user that triggered this deployment.
string user_email = 1;
// Required. Beginning of the lifetime of this deployment.
google.protobuf.Timestamp deploy_time = 2;
// Output only. Resource URI for the artifact being deployed taken
from the deployable field with the same name.
repeated string resource_uri = 6;
...}
22. Grafeas
Open artifact metadata standard with
contributions from the industry
Audit and govern your software supply chain
Knowledge base for on-premises and cloud
clusters
API with pluggable storage backendsgithub.com/grafeas/grafeas
grafeas-users@googlegroups.com
grafeas-dev@googlegroups.com
@Grafeasio
67. Kritis
Open source, built with the community
Plugs into the k8s admission controller
Ensure vulnerability scanning before deployment
Attest images and verify before deployment
Apply consistent deploy policy across k8s
environmentsgithub.com/grafeas/kritis
kritis-users@googlegroups.com
72. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
Features
0.1.0
73. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
● Kritis:
○ GenericAttestationPolicy
○ Default admittance fallback policy is well-defined
○ Configurable
Features
0.1.0
74. Learn more and follow along!
github.com/grafeas/{grafeas,kritis}
Google Groups: {grafeas,kritis}-users, grafeas-dev
@grafeasio
Gracias!
0.1.0