GitHub’s Artfact Attestations, for guaranteeing the integrity of artifacts constructed contained in the GitHub Actions CI/CD platform, is now typically obtainable.
Basic availability was introduced June 25. By utilizing Artifact Attestations in GitHub Actions workflows, builders can enhance safety and defend in opposition to provide chain assaults and unauthorized modifications, GitHub mentioned. As a part of the announcement, GitHub additionally launched the Kubernetes Coverage Controller, which lets builders validate attestations instantly inside Kubernetes as an added layer of safety.
Powered by the Sigstore, an open supply challenge for signing and verifying software program artifacts by way of attestations, Artifact Attestations is meant to safe a software program provide chain by making a hyperlink between artifacts and the construct course of. Including provenance to a GitHub Actions workflow will be executed by invoking the brand new attest-build-provenance Motion with the trail to the artifact. This could then be verified utilizing the brand new gh attestation confirm command.
Copyright © 2024 IDG Communications, Inc.