## Overview - **Secure software supply chain management** refers to the ability to ensure the security of everything that goes into the software that you build. Everything refers to the dependencies that your software supply chain depends on. Dependencies refer to when a piece of software relies on another piece of software to run. In addition to validating the source of and security of dependencies prior to completing the build process, organizations also need to ensure that the final build output or artifacts are immutable and also includes build time injected `attestations`. - **Attestation** is a process for demonstrating that software binaries were properly instantiated on a trusted platform." - **Software Bill of Materials (SBOM)** An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. - **Software Bill of Materials (SBOM)** - content source is the paper referenced below - Deliver Uncompromised. "The software of complex systems is often built from many discrete software modules that perform distinct functions. Modern software can be rapidly or even automatically assembled. In this respect, software development increasingly resembles manufacturing processes. Thus, it is likely that any given custom or commercially available software system is, in fact, a product of a varied and often complex supply chain. Yet, all too often, and especially with open-source software, little is known concerning the pedigree of the software developer (who owns or controls the developer, for example) or the provenance of the software components (what measures were taken to ensure its integrity and trustworthiness). In recognition of this fact, good industry practices increasingly mandate the use of an SBOM that identifies the provenance of the various components. If done properly, an SBOM can estimate the overall risk of the ensemble of software elements based on the risk of the individual elements." - Today, GitLab pipeline jobs output an archive of files and directories. Customers who need to add an `attestation` to this output, can either (a) develop their own application for injecting the attestation or (b) include a script in the after_script section of a job. - Some customers that have solved the attestation step in the process are using Grafeas as the centralized metadata store. ### Proposal - Provide a solution that enables customers to create and store critical software component metadata in a metadata store during the execution of a CI/CD pipeline. ## Questions that can be addressed with a query enabled metadata data store - Is this container deployed to production? - When was the time this container was pulled (downloaded) from our registry? - What packages are installed in this container? - Does this container contain any security vulnerabilities? - Does this container meet our security controls? ## Reference [Secure Software Supply Chain - GitLab Runner Integration and Grafeas](https://docs.google.com/document/d/1INE0ZknVKKHE1IepBCDvEarqFWELQEIYSg6Lae5SZPU/edit?usp=sharing) [video discussion](https://www.youtube.com/watch?v=TcCiCp1y_KM) - [Software Supply Chain Management with Grafeas and Kritis](https://www.infoq.com/presentations/supply-grafeas-kritis/) - [Help secure software supply chains on Google Kubernetes Engine](https://cloud.google.com/architecture/secure-software-supply-chains-on-google-kubernetes-engine) - [DELIVER UNCOMPROMISED A Strategy for Supply Chain Security and Resilience](https://www.mitre.org/sites/default/files/publications/pr-18-2417-deliver-uncompromised-MITRE-study-26AUG2019.pdf) - [The Minimum Elements For a Software Bill of Materials - Pursuant to Executive Order 14028 on Improving the Nation's Cyber Security](https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf)