Introduction to a Secure Supply Chain

- By: Thomas Jungbauer ( Lastmod: 2023-08-01 ) - 1 min read

image from Introduction to a Secure Supply Chain

The goal of the following ("short") series is to build a secure CI/CD pipeline step by step using OpenShift Pipelines (based on Tekton). The whole build process shall pull and build an image, upload it to a development environment and subsequently update the production environment.

The main focus here is security. Several steps and tools shall help to build and deploy a Secure Supply Chain.

The whole process is part of a Red Hat workshop which can present to your organization. I did some tweaks and created a step-by-step plan in order to remember it …​ since I am getting old :)

The Journey to Secure Supply Chain

This series includes the following articles:

  1. Listen to Events

  2. Pipelines

  3. SonarQube

  4. Verify Git Commit

  5. Build and Sign Image

  6. Scanning with ACS

  7. Generating a SBOM

  8. Updating Kubernetes Manifests

  9. Linting Kubernetes Manifests

  10. The Example Application

  11. ACS Deployment Check

  12. Verify TLOG Signature

  13. Bring it to Production

Prerequisites

In order to develop our Secure Supply Chain, we need an OpenShift 4 Cluster. I am currently using OpenShift 4.13. Moreover, the OpenShift Pipelines operator must be deployed. It is based on Tekton and provides a Kubernetes-native way to create CI/CD pipelines.

The operator is deployed using the Operator Hub inside your cluster. Simply search for OpenShift Pipelines and install the operator using the default settings.

OpenShift Pipelines
Figure 1. Install OpenShift Pipelines

Finally, you will need a GitHub account to be able to fork some repositories.

Some steps in the pipeline are working tightly with GitHub, especially the very last one that is talking GitHub’s API. However, any Git-system should work, and probably just minor changes will be required.

Everything else will be installed during the different steps described in the upcoming articles, while we build and tweak our pipeline.

Remember, the big goal of our pipeline is NOT to simply pull, build and push our code, but to integrate certain security tools like code scanning, image scanning and linting. Otherwise, it would be boring.

Used Tools

The following list of tools (or specifications) are used for our pipeline. They will be deployed when the appropriate step requires it.

Copyright © 2020 - 2024 Toni Schmidbauer & Thomas Jungbauer

Built with Hugo Learn Theme and Hugo