GitHub improves provide chain safety with common availability of Artifact Attestations

GitHub is taking a step ahead to assist corporations enhance provide chain safety with the discharge of Artifact Attestations. This new characteristic permits GitHub customers to confirm the integrity of GitHub Actions artifacts earlier than they select to deploy them into their Kubernetes cluster.

Artifacts in GitHub are recordsdata or collections of recordsdata that have been created throughout a workflow run, comparable to construct or take a look at output. 

Attestations embody a hyperlink to the workflow related to the artifact, together with different related info like its repository, group, atmosphere, commit SHA, and triggering occasion. 

In response to GitHub, Artifact Attestations are powered by Sigstore, which is an open supply challenge that permits software program artifacts to be signed and verified to advertise better software program integrity. 

Together with this common availability launch, GitHub is also now providing a new manner to construct Kubernetes admission controllers that permits builders to validate attestations from inside Kubernetes clusters. In response to GitHub, this ensures that solely correctly validated artifacts get deployed.

“By integrating Artifact Attestations into your GitHub Actions workflows, you improve the safety of your improvement and deployment processes, defending in opposition to provide chain assaults and unauthorized modifications,” GitHub wrote in a weblog put up. 

---

You might also like…

Sonatype shines mild on present state of provide chain safety in newest report

OpenSSF, CISA, and DHS collaborate on new open-source challenge for creating SBOMs