This blog post and linked pages contain information related to upcoming products, features, and functionality. It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned in this blog post and linked pages are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Today, GitLab is excited to announce that our partner TestifySec has integrated their Witness open-source tool into GitLab allowing us to take another step along our Secure Software Supply Chain Direction.
Secure software supply chain
An emerging concern in the software development space is being able to secure your software supply chain, an important element of which is documenting the entire supply chain and development progress by creating a chain of custody starting from code creation, build, test, package, and going through deployment. One important element of this chain of custody is commonly referred to as a Software Bill of Materials SBOM. There are also frameworks, such as SLSA which collect additional elements about the process. Together these documents are becoming critical components to satisfying regulated industry requirements.
There are many opportunities as a DevOps Platform to rise to the challenge of creating transparency around software components or artifacts.
Recent compromises and attacks on the software supply chain such as Solarburst and Log4shell highlight the need for a new way of securing CI systems and their artifacts. This is why TestifySec created Witness.
CI systems are an incredible source of data. Many CI systems such as GitLab, along with their cloud infrastructure, provide tokens with non-falseable data. Witness verifies and records this data, along with inputs and outputs from a CI process in a verifiable and standardized way.
In current generation CI systems we restrict the release of artifacts based on pass or failure of build steps. However, most organizations have no standardized way to leverage the metadata available during the CI process in order to inform policy decisions in production environments.
In next-generation CI systems, data collected during the CI process is not thrown away. Instead, we make this data available to security administrators for use at any policy enforcement point. With Witness, you shift security left, while communicating risk right.
Once an artifact is built it becomes difficult to understand where it was built. Most major cloud providers provide some sort of identity mechanism to verify the instance identity. On AWS this is called the Instance metadata service. The data available in this API is verifiable and is a perfect data structure to make an Witness attestation.
Witness records AWS identity metadata and cryptographically links it to the build artifact and any other events in that CI process.
You can see the demo.
GitLab and TestifySec will be enhancing our features around this as time goes on - keep an eye out for more!
Read more about GitLab's Secure Software Supply Chain Direction.