Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas (https://grafeas.io/) is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis (https://github.com/grafeas/kritis) is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas.
This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.
15. Software Supply
Chain Management
what happens to
code from source to
deployment?
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
16. Software Supply
Chain Management
what happens to
code from source to
deployment?
CI/CD pipelines,
observability tools
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
78. Observability with Kritis
When did the image deploy?
When did the image pass policy checks?
When did the image stop satisfying policy?
79. Kritis
Open source, built with the community
Plugs into the k8s admission controller
Attest images and verify before deployment
Apply consistent deploy policy across k8s
environments
github.com/grafeas/kritis
kritis-users@googlegroups.com
87. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
88. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
89. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
93. Grafeas: Deployment Note
// An artifact that can be deployed in some runtime.
message DeploymentNote {
// Required. Resource URI for the artifact being deployed.
repeated string resource_uri = 1;
}
94. Grafeas: Deployment Occurrence
// The period during which some deployable was active in a runtime.
message DeploymentOccurrence {
// Identity of the user that triggered this deployment.
string user_email = 1;
// Required. Beginning of the lifetime of this deployment.
google.protobuf.Timestamp deploy_time = 2;
// Output only. Resource URI for the artifact being deployed taken
from the deployable field with the same name.
repeated string resource_uri = 6;
...}
96. Grafeas
Open artifact metadata standard with
contributions from the industry
Audit and govern your software supply chain
Knowledge base for on-premises and cloud
clusters
API with pluggable storage backendsgithub.com/grafeas/grafeas
grafeas-users@googlegroups.com
grafeas-dev@googlegroups.com
@Grafeasio
103. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
Features
0.1.0
104. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
● Kritis:
○ GenericAttestationPolicy
○ Default admittance fallback policy is well-defined
○ Configurable
Features
0.1.0
105. Learn more and follow along!
github.com/grafeas/{grafeas,kritis}
Google Groups: {grafeas,kritis}-users, grafeas-dev
@grafeasio
0.1.0
#talk-aysylu-greenberg