GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts constructed contained in the GitHub Actions CI/CD platform, is now typically obtainable.
Basic availability was introduced June 25. Through the use of Artifact Attestations in GitHub Actions workflows, builders can enhance safety and defend towards provide chain assaults and unauthorized modifications, GitHub stated. As a part of the announcement, GitHub additionally launched the Kubernetes Coverage Controller, which lets builders validate attestations instantly inside Kubernetes as an added layer of safety.
Powered by the Sigstore, an open supply challenge for signing and verifying software program artifacts by way of attestations, Artifact Attestations is meant to safe a software program provide chain by making a hyperlink between artifacts and the construct course of. Including provenance to a GitHub Actions workflow might be performed by invoking the brand new attest-build-provenance Motion with the trail to the artifact. This will then be verified utilizing the brand new gh attestation confirm
command.
Copyright © 2024 IDG Communications, Inc.