My colleagues just published an awesome ~50m demo diving into supply chain security, #SLSA, and "automated governance", with #sigstore. It's detailed, practical stuff that I think practitioners will enjoy --- and all the repos are public!

https://youtu.be/63XD4j5BCYE

https://github.com/search?q=org%3Aliatrio+topic%3Aautomated-governance+visibility%3Apublic&type=repositories&s=updated&o=desc

I was so excited (still I'm) about the v0.11 release of the @Docker #BuildKit ✨With that release, creating an #SBOM and #SLSA provenance for your builds has been never been easy!
I'm so glad to see that @openpolicyagent #Gatekeeper project uses these🥳✨
https://github.com/open-policy-agent/gatekeeper/blob/2835519d21bc1011483b015886e6a8d12c32f51f/Makefile#L105

Give #Tekton Chains a try and realize how it could help you to make the software supply chain secure that you set up on @tektoncd which means that you will be 💃 #SLSA Level to compliant without any hassle ↙️https://cd.foundation/blog/2022/10/18/tekton-chains/

I'm super glad to see that two of the great projects #falcoctl and #paranoia now signed by another awesome project by @sigstore ✍️#cosign and made 💃#SLSA provenance available, thanks to @JamesLaverack and Luca Guerra! 🚀
1️⃣https://github.com/jetstack/paranoia/pull/91/files
2️⃣https://github.com/falcosecurity/falcoctl/pull/286

The v1.6.0 version of the "slsa-github-generator" project provided by the #SLSA community was released a day ago which means that all my PRs are now ready to use🥳🍹
Thanks to Laurent Simon Asraa Ali @ianlewis for helping me🫶
Here is the full CHANGELOG!🚀
https://github.com/slsa-framework/slsa-github-generator/blob/v1.6.0/CHANGELOG.md#v160

One of the important specifications of the software supply chain security era is no doubt 💃#SLSA and finally, it reached the v1.0 release 🚀 So, the tools that already generate SLSA provenance have to adopt that v1.0 release💡Here is the tracking issue✅
https://github.com/slsa-framework/slsa/issues/574

Generating the provenance for builds is one of the critical ways to trace the software back to its source and hardware and signing this metadata (attestation) proves the integrity! Great news, the deps.dev started to show💃#SLSA provenance info for npm packages!

https://blog.deps.dev/npm-provenance/

Deep diving into #SLSA today. Definitively worth it, so much good information and reference material. https://slsa.dev/spec/v1.0/

🚨The security blog by #Google
is true gold!

🚀🥳It really helped me to learn more about software supply chain security things including #deps.dev, #go, #SLSA, #SBOM, #scorecard, #distroless, and many more!

🧑🏻‍💻I highly recommend you take a look at this blog!

https://security.googleblog.com/2023/04/celebrating-slsa-v10-securing-software.html

🛎️🚨In case you missed this folx, do not forget to register for this event unless you miss talks about #SBOM, #Sigstore, #SLSA, and many more and it is FREE for virtual attendances, what are you waiting for go and register! 🥳
#openssf #theopenssf #openssfday
https://events.linuxfoundation.org/openssf-day-north-america/register/

Love this because it clarifies an important point for #Python, #SLSA attestation is about artifacts not releases!

"It is often difficult or impossible to determine when a release is ‘finished’ because many ecosystems allow adding new artifacts to old releases..."

https://slsa.dev/spec/v1.0/distributing-provenance

☝️🚨My latest newsletter has just been published with lots of great news🥳
@Docker @cloudnativefdn @linuxfoundation @francescociull4 @aurelievache @ajeetraina @scottcjohnston @ianlewis #slsa #slsarc2 @hrittikhere #lift @sigstore #gsod @kcdturkey https://developerguy.substack.com/p/cncf-ambassador-23-docker-desktop

🎊I'm super glad to see lots of great content related to software supply chain security on @Docker official website based on the recent development effort in #BuildKit v0.11 🥳
🔖 Build Attestations
📄 SBOM
🧾 #Provenance
💃 #SLSA
and many more 👇
https://docs.docker.com/build/attestations/

The @chainguard_dev team unchained blog is true gold🎖
You can find lots of amazing resources if you are making research about software supply chain security type of stuff:
💃#SLSA
🔖#provenance
📄#SBOM
and many more☝️
🏃‍♂️I highly recommend you go and take a look at it!
https://www.chainguard.dev/unchained

Google somehow made #softwaresupplychain #SLSA catchy?

https://www.youtube.com/watch?v=NaR8WlLtPw0

Also looks like there might be a few Cloud-Native Easter eggs in there...

🚨 The v1.0 release for #SLSA is on the way since the latest final release before v1.0 is RC2 was announced recently 🥳 Before v1.0, the issue for tracking the projects that currently integrate #SLSA provenance generation such as #buildx, #chains, many more⏰
https://github.com/slsa-framework/slsa/issues/574

☝️If you are willing to become a contributor to the 💃#SLSA Generators like Trusted #Go, #Generic, #Container, and #Docker-based generators, you should add your e2e tests to the example package, and thanks to @ianlewis for the detailed explanation of these 🤸
https://github.com/slsa-framework/example-package/blob/main/.github/workflows/README.md

🔔💃#SLSA is a framework to help improve the integrity of your project throughout its development cycle, allowing consumers to trace the final piece of software you release all the way back to the source. Now be ready for the v1.0 release⏰
➡️https://security.googleblog.com/2022/04/improving-software-supply-chain.html

The last release RC2 is just out before releasing the actual v1.0 🎊
https://slsa.dev/blog/2023/04/slsa-v1-rc2

🚨🔔HOT OF THE PRESS: Another great article published by @mlieberman☝️

A great overview through an amazing cat metaphor🐈of ensuring software supply chain security by using two of the excellent projects @sigstore and #SLSA💃 together.

Highly recommend you read it 🧐

https://www.kusari.dev/blog/whos-lurking-in-your-supply-chain/

RT @developerguyba
Do you want to learn more about how you can make your pipelines #SLSA Level 2 compliant by using two of the popular projects @tektoncd and its supply chain manager #chains? Here is one of the recent blogs posts published on @GoogleOSS that may help you🆙
https://opensource.googleblog.com/2023/03/getting-to-slsa-level-2-with-tekton-and-tekton-chains.html