Build Security
Last updated
Last updated
Xygeni helps you to protect the integrity of your artifacts and build (CI/CD) processes. This is known as Build Security.
The Xygeni platform provides a component for an important part of Build Security: the creation, storage and verification of attestations on the software.
The following sections describe Xygeni SALT (Software Attestations Layer for Trust), the component for generating, registering and verifying software attestations.
Install the SALT command-line tool. The following commands work under Linux/macOS.
where PATH_TO_DIR
stands for the directory where the SALT tool will be uncompressed (proceed to for detailed instructions or on a different operating system).
Now you can generate sample attestations for your software product: Go to a product repository directory (cd <YOUR_REPO_DIR>
), and run commands for creating an one-shot SLSA attestation (attestation slsa
):
The SLSA Provenance attestation is written in slsa.unsigned.json
file, and the signed envelope (signed with an ephemeral keypair, certified with an ephemeral certificate) is stored in the slsa.json
file.
Now verify the attestation:
A software attestation is an assertion made about a piece of software. A software attestation is an authenticated statement (metadata) about a software artifact or collection of software artifacts.
Software attestations are a generalization of raw artifact/code signing. The attestation is a signed document (in a given format, typically based on JSON) that associates metadata with an artifact. They represent evidence linking inputs (materials) and outputs (artifacts produced) at each build step.
Attestations provide a verifiable record of the steps done for building the final software artifacts, including input materials for each step and the build commands run.
SALT (acronym for Software Attestation Layer for Trust) is the feature in the Xygeni platform for build security. SALT is the infrastructure for creating and verifying software attestations, aiming at different use-cases.
Result upload: The results for the attestation generation are uploaded to Xygeni, so any error or integrity failure is reported and could be notified to DevOps engineers and security management teams.
The following image depicts the main components of SALT:
Salt provides a command-line interface (Salt CLI) with commands for creating the attestation document from the inputs, interacting with the attestations registry, and verifying an attestation with respect to the referenced software product.
salt CMD
, with CMD = attestation | keygen | registry | contract | verify
.
The main commands are:
salt keygen
: Generate key pairs for signing
salt attestation init|add|run|status|commit|reset
: Incremental attestation build
salt attestation provenance
: Provenance for pipeline, in a single shot
salt registry search | get | put
: Operations with Attestation Registry
salt verify
: Verify contract / attestation for SW artifact
salt contract create | from-build | upload | download
: Contract handling
Software attestations are typically created in the same pipeline that builds and/or deploys the software. One or more steps can run Salt CLI commands to either build the attestation either in one shot (salt attestation provenance
) or incrementally at different steps along the pipeline (salt attestation init|add|run|commit
).
Attestations in the IAF are serialized as JSON.
You may need to work with special features or build attestations and handle key materials in a non-standard way. The following are tips & tricks that you may find helpful:
For more information about what software attestations are, what they are used for, the structure of a software attestation and which standards are in place, please refer to section.
A command-line interface (salt
command) is provided for generating attestations in CI/CD pipelines, or for verification of the integrity of the attestations with regard to the software artifacts the attestation refers to. Additional integrations, like plugins, are provided for the most popular CI/CD systems. See for further details.
Xygeni provides an attestation registry based on the combination of the as storage and as a transparency log. The public server for the Xygeni-provided attestation registry is at .
For further information, see .
The Salt model contains most of the in-toto specification types for software attestations, as shown in the .
For further information, see .
See for further details.
SALT follows the . The IAF provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.
See the for details about the general format of signed attestations and their components. For further details on the predicate types, read .