-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Marcela Melara <[email protected]>
- Loading branch information
1 parent
4941a72
commit c9526ee
Showing
3 changed files
with
50 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# KubeCon NA '23 Demo | ||
|
||
As part of the [in-toto Maintainer Track talk] at KubeCon NA '23, we present | ||
a demo of the in-toto Attestation Framework, SCAI, and the in-toto Attestation | ||
Verifier. | ||
|
||
## Demo Setup | ||
|
||
The overall flow implemented in the demo is as follows: | ||
|
||
<img src="./images/scai-kubeconNA23-demo.png" alt="in-toto demo flow" width="600"> | ||
|
||
This demo setup is implemented using the [scai-gen GitHub Actions] in a Docker | ||
container build [demo workflow] for the Hyperledger Labs Private Data Objects | ||
project. | ||
|
||
### Generated Attestations | ||
|
||
This demo generates the follow _authenticated_ in-toto attestations: | ||
|
||
* [SLSA Provenance] attestation for the container build | ||
* [SCAI Attribute Report] attestation for additional integrity metadata about | ||
the build | ||
|
||
These two attestations are signed using cosign OIDC-based keyless signing, | ||
and uploaded to the public Rekor log. | ||
|
||
### Additional Tools | ||
|
||
This demo makes use of the following additional tools: | ||
|
||
* in-toto [attestation-verifier] | ||
* [Anchore SBOM generator] GitHub Action | ||
* [SLSA generic Provenance generator] GitHub Action | ||
* [strace] Linux syscall tracer | ||
|
||
[Anchore SBOM generator]: https://github.com/anchore/sbom-action | ||
[attestation-verifier]: https://github.com/in-toto/attestation-verifier | ||
[demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/kubeconNA23-intoto-demo/.github/workflows/kubeconNA23-intoto-demo.yml | ||
[in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx | ||
[SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator | ||
[SLSA Provenance]: https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md | ||
[SCAI Attribute Report]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md | ||
[scai-gen GitHub Actions]: https://github.com/in-toto/scai-demos/tree/main/.github/actions | ||
[strace]: https://strace.io/ |