Presenters

Source

Fortifying Your Code: A Deep Dive into Salsa and GitHub for Unbreakable Software Supply Chains 🚀

In today’s interconnected digital world, the integrity of our software supply chain is paramount. We’ve all heard the alarming stories: compromised GitHub actions, hijacked organizations, and even vulnerabilities in widely used projects like PHP and Juniper. These incidents underscore a critical truth: a breach at the source code level can have devastating ripple effects. But fear not! The open-source community is tirelessly working to build stronger defenses, and at the forefront of this effort are Salsa and GitHub.

Let’s unpack how these powerful tools are revolutionizing software supply chain security, making your code more resilient and trustworthy than ever before. ✨

Understanding Salsa: Building Security Brick by Brick 🧱

At its core, Salsa (Supply Chain Levels for Software Artifacts) is a framework designed to help organizations incrementally enhance their software supply chain security. What makes Salsa so compelling is its unwavering focus on evidence and verifiability. It’s not just about implementing security measures; it’s about proving they’re in place and working effectively.

The recent release candidate for Salsa v1.2 introduces a game-changer: the Source Track. This new track directly tackles source code security by setting clear requirements for both the software-producing organization and their Source Control System (SCS). Think of an SCS as more than just Git; it’s the entire ecosystem, including integrated platforms like GitHub, that offer additional layers of control.

Salsa’s Source Track lays out four progressive levels of security, allowing you to mature your practices over time:

  • Level 1: The On-Ramp 🚶‍♀️

    • This foundational level is all about adopting a version control system. It’s the perfect starting point for organizations still managing their source code in a more ad hoc manner.

  • Level 2: Preserving History and Provenance 📜

    • This level introduces critical security properties like the preservation of history and continuity of source changes. This means no more overwriting crucial elements like tags and no more force pushes to vital branches – directly addressing weaknesses exploited in past attacks.
    • It mandates the continuous application of controls to protect this history, recognizing the recursive nature of software development.
    • Provenance, the clear attribution of changes to their creators, becomes a cornerstone, enabling robust auditability.

  • Level 3: Continuous Technical Controls ⚙️

    • Here, the focus shifts to the SCS itself. This level requires the SCS to enable the enforcement of organization-defined technical controls.
    • This includes automated testing and other quality checks, ensuring they are consistently applied to specific named references (like Git branches and tags).

  • Level 4: The Two-Party Review Guardrail 🤝

    • The highest level of security mandates that two trusted individuals review changes before they are finalized. This provides a powerful human safeguard for code that is ultimately shipped.

To support these levels, Salsa relies on attestations. For the Source Track, these include:

  • Verification Summary Attestations (VSAs): These provide a high-level overview of the security properties and Salsa levels met by a source revision.
  • Source Provenance Attestations: These offer granular details about how a revision was created, empowering detailed analysis. These attestations, often generated using frameworks like in-toto, are key to understanding and reasoning about a revision’s security posture.

GitHub’s Integral Role: Orchestrating Security at the Forge 🌐

GitHub is not just a place to store code; it’s a powerful platform that can be leveraged to meet Salsa Source Track requirements. The Salsa Source Tool is designed to translate Salsa Source policies into GitHub rule sets, enabling direct enforcement within your GitHub repositories.

But the security story doesn’t end there. Enter git-tough, a security layer for Git that significantly bolsters source code integrity. What’s revolutionary about git-tough is its ability to enable policies that are verifiable by anyone with read access to the repository. This is crucial for mitigating the risk of compromised Git servers, which can otherwise be a single point of failure.

Git-tough empowers you with granular policies such as:

  • Branch and tag protection
  • Mandatory code reviews
  • Prevention of force pushes
  • File and folder protection

This allows for fine-grained control over sensitive parts of your repository, as demonstrated by the monorepo example where specific teams manage specific directories.

Git-tough integrates seamlessly with the Salsa Source Track by:

  • Enforcing policies like no force pushes to protected references.
  • Tracking policy continuity, preventing malicious rollback of security measures.
  • Requiring multiple code reviews, directly supporting Salsa Level 4.
  • Utilizing attestations as its default data model, capturing events like code reviews and merges, and paving the way for generating Salsa Source attestations.

Live Demo: Git-tough in Action! 🎬

A compelling live demonstration showcased git-tough’s power on a GitHub repository. The system successfully applied branch protection rules, requiring maintainer sign-off and protecting release tags. It then generated and verified a unified VSA, confirming the repository met Salsa Source Level 3. Further, it produced source provenance attestations detailing approvers and GitHub app attestations, vividly illustrating the verifiable nature of the implemented controls.

It’s important to note that the Salsa Source Track applies on a per-revision basis. This means different branches or commits within a single repository can adhere to different Salsa levels, adapting to the controls enforced at that specific point in time.

The Synergy: Salsa Source Tool and Git-tough 🤝

The Salsa Source Tool and git-tough are not competing solutions; they are complementary powerhouses. The Source Tool excels at enabling Salsa Source policies through GitHub-specific protections, while git-tough embeds policies directly into the repository for verifiable enforcement. The future promises even greater interoperability as attestation formats are standardized, allowing tools like git-tough and the Source Tool to seamlessly consume and verify attestations from each other. The concept of a forge – the centralized server like GitHub, GitLab, or Bitbucket where code lives and collaboration happens – is where these security controls are increasingly being enforced.

The Road Ahead: Expanding the Ecosystem 🛣️

The Salsa ecosystem is continuously expanding. Keep an eye out for:

  • The Build Track: For validating the security of your build platforms.
  • The Dependency Track: For proactively managing risks from your software dependencies.

On the GitHub front, efforts are underway to:

  • Enhance read access control.
  • Enable development under embargo.
  • Standardize attestation storage for broader accessibility.

Get Involved! Your Contribution Matters 👨‍💻

Ready to strengthen your software supply chain? The Salsa and git-tough communities are vibrant and welcoming. Here’s how you can get involved:

  • Salsa: Join community meetings, engage on Slack channels and mailing lists, and explore their GitHub repositories.
  • Git-tough: Participate in community meetings, connect on Slack channels and mailing lists, and dive into their dedicated GitHub repository.

By embracing Salsa and leveraging the power of platforms like GitHub with tools like git-tough, we can collectively build a more secure and trustworthy software future. The journey to an unbreakable software supply chain starts now! 🛡️

Appendix