Configuring collection of SLSA attestations for images
The tool tekton-chains collects evidence of the built images with SLSA attestations.
The tekton-chains tool monitors build-artifact stage of CI pipeline and attests the built images. The evidence collection tool runs for each image in the saved artifacts list_artifacts method and collects the attestation.
Then, the tool creates the necessary evidences. For more information, see list_artifacts.
The tekton chains tool is deployed to IBM managed workers by default. For information about Private workers, see What is Tekton Chains?.
SLSA attestation parameters
You can set the following SLSA attestation parameters with the tekton-chains tool.
| Parameter name | Type | Description | Required or Optional |
|---|---|---|---|
slsa-attestation |
ENUM | Set this parameter to an enum value of 0 or 1. Set the value to 1 to enable the collection of SLSA attestation reports. The default value is 0 |
Required |
icr-dockerconfigjson |
SECRET | The base64-encoded Docker config.json file that stores credential information for IBM Container Registry. Set this parameter if the images must be stored in IBM Container Registry. |
Optional |
artifactory-dockerconfigjson |
SECRET | The base64-encoded Docker config.json file that stores credential information for Artifactory. Set this parameter if images are stored in Artifactory or other container registries. |
Optional |
slsa-attestation-public-key |
SECRET | The base64-encoded public key to verify SLSA attestation reports. | Optional |
These secrets can be created manually by running:
kubectl create secret docker-registry mysecret \
--dry-run \
--docker-server=<container registry url> \
--docker-username=<username> \
--docker-password=<artifactory token> \
--docker-email=<email> \
-o yaml
For IBM Container Registry, use iamapikey as the username and the IBM Cloud API key as the password.
This process outputs a response that is similar to the following code snippet:
apiVersion: v1
data:
.dockerconfigjson: <your secret>
kind: Secret
metadata:
creationTimestamp: null
name: regcred
type: kubernetes.io/dockerconfigjson
In the pipeline properties, update the artifactory-dockerconfigjson or icr-dockerconfigjson parameter with the .dockerconfigjson value.
Evidence and attachments
Based on the values that you set based on the details in table 2, evidences get generated. The DevSecOps pipeline uploads evidence to the locker and includes the evidence in the evidence summary for change requests.
| Field | Value |
|---|---|
| tool type | tekton-chains |
| evidence type | com.ibm.cloud.slsa |
| asset type | image |
| attachments | Attestation report generated by the tekton chains as JSON |
Debugging and logging
Set the following parameter for debugging and logging.
| Parameter name | Default value | Description |
|---|---|---|
| pipeline-debug | 0 | Debug flag 0 off; 1 on |
Accessing your scan results
You can access your scan results by using the following methods:
- Using the DevSecOps CLI to download your scan results from the evidence locker by using the information that is printed in the stage log. For more information, see the following resources: