GitHub declares new updates to enhance provide chain safety


GitHub has launched two updates designed to assist safe software program provide chains. The corporate introduced a public beta of Artifact Attestations for GitHub Actions, which makes it simpler for corporations to confirm the place software program parts got here from, and introduced that Dependabot can now be run as a GitHub Actions workflow. 

Artifact Attestation permits maintainers of open-source software program to simply create a paper path for the software program they’re creating, so that buyers of that software program can confirm the place it got here from and the way it was created.

The attestations features a hyperlink to the workflow related to the artifact, together with different related info just like the its repository, group, surroundings, commit SHA, and triggering occasion. 

“There’s an growing want throughout enterprises and the open supply ecosystem to have a verifiable solution to hyperlink software program artifacts again to their supply code and construct directions. And with greater than 100M builders constructing on GitHub, we wish to guarantee builders have the instruments wanted to assist defend the integrity of their software program provide chain,” Trevor Rosen, workers engineering supervisor for provide chain safety at GitHub, wrote in a weblog put up

Artifact Attestations is powered by Sigstore, which is an open supply challenge that enables software program artifacts to be signed and verified to advertise better software program integrity. 

In line with GitHub, the method to arrange an Artifact Attestation is straightforward. Builders should first allow their GitHub Actions workflow to have the ability to write to the attestations retailer, then direct a workflow to create an attestation, and eventually, use GitHub CLI to confirm it. 

Shoppers can simply obtain attestation paperwork, which will also be extracted as JSON information for use in a coverage engine like OPA

“Artifact Attestations will enable clients unprecedented visibility into the composition and utilization of their constructed software program artifact, and that is only the start. We’ll offer the flexibility to attest other forms of artifacts related to the construct course of, reminiscent of vulnerability reviews and different items of metadata supported by the in-toto challenge’s outlined predicate varieties. Search for thrilling information round Kubernetes help, new ensures for releases, and extra later this 12 months,” Rosen stated. 

Dependabot can now be run as GitHub Actions workflow

Artifact Attestations shouldn’t be the one announcement from GitHub to pay attention to; The corporate additionally introduced that Dependabot, GitHub’s automated resolution for monitoring dependencies for vulnerabilities, can now be run as a GitHub Actions workflow, each as hosted or self-hosted runners. 

It was beforehand solely utilizing hosted compute, which meant that it couldn’t entry on-premise assets. This additionally meant that logs have been unfold out in other places, and one of many requests from customers was to have the ability to see all logs in a single place. 

“Builders will see efficiency enhancements, like sooner Dependabot runs and elevated log visibility. APIs and webhooks for GitHub Actions may also detect failed runs and carry out downstream processing ought to builders want to configure this of their CI/CD pipelines,” Carlin Cherry, product supervisor at GitHub, wrote in a weblog put up

That is a part of GitHub’s long-term technique to consolidate Dependabot completely to GitHub Actions. Over the course of the subsequent 12 months, GitHub will migrate all of Dependabot’s replace jobs to GitHub Actions, resulting in sooner runs, elevated troubleshooting visibility, self-hosted runners, and different advantages, GitHub defined. 

In line with GitHub, working Dependabot doesn’t rely in the direction of GitHub Actions minutes.