GitLab Runner Build Platform Configuration for SLSA L3
Problem to solve
Customers are working on configuring their runner build environments to achieve SLSA l3 and need guidance as to which runner configurations allow them to achieve those requirements.
SLSA L3: Build Platform - Isolation Requirements
The build platform ensured that the build steps ran in an isolated environment, free of unintended external influence. In other words, any external influence on the build was specifically requested by the build itself. This MUST hold true even between builds within the same tenant project.
Reqiurement | Will using a self-managed GitLab Runner hosted on a Kubernetes cluster enable the customer to meet this requirement? |
---|---|
It MUST NOT be possible for a build to access any secrets of the build platform, such as the provenance signing key, because doing so would compromise the authenticity of the provenance. | |
It MUST NOT be possible for two builds that overlap in time to influence one another, such as by altering the memory of a different build process running on the same machine. | |
It MUST NOT be possible for one build to persist or influence the build environment of a subsequent build. In other words, an ephemeral build environment MUST be provisioned for each build. | |
It MUST NOT be possible for one build to inject false entries into a build cache used by another build, also known as “cache poisoning”. In other words, the output of the build MUST be identical whether or not the cache is used. | |
The build platform MUST NOT open services that allow for remote influence unless all such interactions are captured as externalParameters in the provenance. |
SLSA Build Platform + GitLab CI/CD
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.