generated from coulomb/repo-seed
79 lines
2.5 KiB
Markdown
79 lines
2.5 KiB
Markdown
# Pattern: Supply-Chain Provenance
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, artifact-store, product repos
|
|
|
|
## Problem
|
|
|
|
Production artifacts become hard to trust when source, dependencies,
|
|
build runners, images, signatures, SBOMs, and deployment admission are
|
|
not connected.
|
|
|
|
## Context
|
|
|
|
Use this pattern for container images, packages, release artifacts,
|
|
SBOMs, dependency updates, GitHub/GitLab workflows, artifact-store, and
|
|
Kubernetes admission.
|
|
|
|
## Forces
|
|
|
|
- Teams need fast dependency updates and builds.
|
|
- Production needs evidence that artifacts came from reviewed source.
|
|
- Build systems need secrets, but secret exposure in CI is high impact.
|
|
- Admission should verify artifacts without blocking all development.
|
|
|
|
## Solution
|
|
|
|
Require production artifacts to carry review, dependency, build,
|
|
signature, and provenance evidence. Admission and release workflows use
|
|
that evidence to decide what can run or be promoted.
|
|
|
|
## Implementation Sketch
|
|
|
|
1. Protect main branches and release tags.
|
|
2. Generate SBOMs per release.
|
|
3. Sign container images and release artifacts.
|
|
4. Emit SLSA-style build provenance from trusted runners.
|
|
5. Keep build runners isolated and least privilege.
|
|
6. Verify signatures and provenance before production admission.
|
|
|
|
## Failure Modes
|
|
|
|
| Failure | Mitigation |
|
|
| --- | --- |
|
|
| SBOM generated but not stored with releases | store SBOMs in artifact-store or release records |
|
|
| Signatures exist but admission ignores them | enforce signed image admission |
|
|
| CI runner has broad production secrets | quarantine runners and restrict secret access |
|
|
| Dependency bot floods unreviewed changes | require tests and review gates |
|
|
|
|
## Related Capabilities
|
|
|
|
- Software supply chain security.
|
|
- Platform and Kubernetes hardening.
|
|
- Security governance and production readiness.
|
|
- Observability, detection, and audit.
|
|
|
|
## Maturity
|
|
|
|
Seed. The pattern has strong external standards, but NetKingdom still
|
|
needs concrete artifact-store and admission integration.
|
|
|
|
## Verification
|
|
|
|
- Releases include SBOM, signature, and provenance.
|
|
- Admission rejects unsigned or untrusted production artifacts.
|
|
- Build runner access to secrets is minimized.
|
|
- Dependency updates are tested and reviewed.
|
|
|
|
## Research Basis
|
|
|
|
Seeded by protected main branch, dependency update bot, SBOM-per-release,
|
|
SLSA build provenance, signed container images, and quarantined build
|
|
runner patterns.
|
|
|
|
## References
|
|
|
|
- Initial exploration: Software supply chain security.
|
|
- Initial exploration: Supply-chain patterns.
|