KubeEdge Achieves SLSA Level 3 Compliance

Published on march 31, 2023

CNCF incubating project KubeEdge recently achieved Supply Chain Levels for Software Artifacts (SLSA) Level 3 compliance. As a result of SLSA 3, KubeEdge has certified the end-to-end security of its software supply chain process, ensuring that binary and container image artifacts are protected against malicious manipulation.

On the CNCF blog, the KubeEdge Special Interest Group (SIG)-Security announced the compliance. It is a security framework and checklist of standards that protect software artifacts from unauthorized modification and common supply chain attacks, from source code build to release. The SLSA is currently in alpha, and the requirements for level three and four may change in the future.

The introduction of vulnerabilities into a supply chain can be initiated by any piece of software. In order to ensure the integrity of artifacts as a system becomes more intricate, it is essential to establish checks and implement best practices in advance.

For level three SLSA compliance, KubeEdge currently meets the Source, Build, and Provenance requirements.

For build-related compliance, KubeEdge uses GitHub scripts to automate its build process. The scripts are stored in the “.github/workflows” directory as definition and configuration files, and they are implemented using GitHub Actions. It offers traceability and verifiability of build steps, an isolated and ephemeral build environment, and protection against tampering with build parameters and dependencies.

Evidence of the software build and release execution process is provided by the build metadata, which can be authenticated. Metadata includes build steps, build sources, and dependencies, such as source code repositories, code branches, and configuration files.

As a side note, SLSA released its first major update since June 2021 – the SLSA v1.0 RC1 Specification. One of the highlights of this update is the division of SLSA into multiple tracks, each of which contains a distinct set of levels evaluating a specific aspect of software supply chain security.

We also saw an article on YCombinator introducing Chainloop, an open-source software supply chain control plane. By utilizing Chainloop, SecOps teams can restore security compliance, visibility, standardization, and control. Developers can ensure compliance with minimal effort.

For more information about SLSA, interested readers can visit the SLSA community page. Readers can follow KubeEdge’s official GitHub page for more information.