GitHub Artifact Attestations

Configure GitHub Artifact Attestations for secure cloud-native delivery

Github

GitHub has made its Artifact Attestations generally available. The tool allows for creation of provenance and integrity guarantees to verify that anything built within GitHub Actions can be traced back to its source code. This helps improve confidence in the security of the supply chain, and also meets SLSA v1.0 Build Level 2 requirements, assisting teams to make informed decisions around their builds. These attestations can be created for any kind of artifact, whether it's an executable, a package or a container registry. Furthermore, GitHub provides a Kubernetes admission controller for validating deployments and rejecting those without verifiable attestations.

read full post