Draft: Resolve "Prove the Authenticity of OCI Artifacts" (!1234) · Merge requests · Sylva-projects / sylva-core

François-Régis Menguy requested to merge 451-prove-the-authenticity-of-oci-artifacts into main Nov 30, 2023

What does this MR do and why?

Demonstrate how to verify the authenticity of the OCI artifacts, taking sylva-core helm charts as an example.

Verifying an OIC artifact is meant to address the security need of traceability and integrity, i.e. it mitigates the risk to deploy an artifact that has been tampered.

It covers the risk of a stakeholder being compromised.

Related reference(s)

#451

Test coverage

Deploying sylva-core helm charts without a signature is allowed but logged when policy is in Audit mode. Deploying sylva-cores helm charts without a valid signature must fail when policy is enforced.

Closes #451

Draft: Resolve "Prove the Authenticity of OCI Artifacts"

What does this MR do and why?

Related reference(s)

Test coverage

Merge request reports