Chainguard and CNCF conduct SLSA assessments for Argo and Prometheus projects

Chainguard recently worked with Cloud Native Computing Foundation (CNCF) to conduct software supply chain security assessments of two graduated CNCF projects, Argo and Prometheus. Ensuring the foundations of open source software projects are applying best practices and principles for supply chain security is critical. Chainguard was happy to partner with CNCF on this endeavor to help the community continue to improve the software security of widely used projects.

‍

Both software supply chain security assessments followed the Supply-Chain Levels for Software Artifacts (SLSA, pronounced salsa) framework to assess the software supply chain security practices of the Argo CD and Prometheus projects. SLSA, which is maintained within the Open Source Security Foundation, defines levels of software supply chain integrity and a set of practices to achieve these levels. Version 0.1 of SLSA (at the time of writing, a 1.0 specification has been announced) emphasizes a set of software supply chain security practices that deal with source code, the build process, and provenance with an emphasis on machine-readability and machine-verifiability. These SLSA assessment efforts build on the security work CNCF has been doing with independent security audits with OSTIF and fuzzing audits with ADA Logics and address a crucial aspect of security health in the software supply chain.

‍

Here’s a look at some of the main findings in the assessments:

• The Chainguard assessment team concluded that the source, build, and provenance portions of the Argo CD supply chain all achieved SLSA level 3.

• The Chainguard assessment of Prometheus found the project yielded SLSA Level 3 for both Source and Build sections.

• Provenance is an important piece of the supply chain that allows the consumers of an artifact to verify its authenticity. The Chainguard assessment team recommends that the Prometheus maintainers implement provenance generation within the Prometheus build infrastructure.

The full reports can be found on the Argo CD and Prometheus GitHub pages. Thank you to CNCF and the Argo and Prometheus maintainers for their collaboration on the SLSA assessments and their commitment to strengthening software supply chain security.

‍

Organizations interested in a software supply chain security assessment can contact Chainguard. And anyone interested in education materials on SLSA can find them on Chainguard Academy.