GitHub has launched two updates designed to assist safe software program provide chains. The corporate introduced a public beta of Artifact Attestations for GitHub Actions, which makes it simpler for firms to confirm the place software program elements got here from, and introduced that Dependabot can now be run as a GitHub Actions workflow.
Artifact Attestation permits maintainers of open-source software program to simply create a paper path for the software program they’re creating, so that buyers of that software program can confirm the place it got here from and the way it was created.
The attestations features a hyperlink to the workflow related to the artifact, together with different related data just like the its repository, group, surroundings, commit SHA, and triggering occasion.
“There’s an growing want throughout enterprises and the open supply ecosystem to have a verifiable technique to hyperlink software program artifacts again to their supply code and construct directions. And with greater than 100M builders constructing on GitHub, we wish to guarantee builders have the instruments wanted to assist shield the integrity of their software program provide chain,” Trevor Rosen, workers engineering supervisor for provide chain safety at GitHub, wrote in a weblog publish.
Artifact Attestations is powered by Sigstore, which is an open supply undertaking that enables software program artifacts to be signed and verified to advertise larger software program integrity.
In line with GitHub, the method to arrange an Artifact Attestation is easy. Builders should first allow their GitHub Actions workflow to have the ability to write to the attestations retailer, then direct a workflow to create an attestation, and at last, use GitHub CLI to confirm it.
Shoppers can simply obtain attestation paperwork, which will also be extracted as JSON information for use in a coverage engine like OPA.
“Artifact Attestations will enable clients unprecedented visibility into the composition and utilization of their constructed software program artifact, and that is just the start. We’ll offer the power to attest other forms of artifacts related to the construct course of, resembling vulnerability studies and different items of metadata supported by the in-toto undertaking’s outlined predicate varieties. Search for thrilling information round Kubernetes assist, new ensures for releases, and extra later this 12 months,” Rosen stated.
Dependabot can now be run as GitHub Actions workflow
Artifact Attestations will not be the one announcement from GitHub to concentrate on; The corporate additionally introduced that Dependabot, GitHub’s automated answer for monitoring dependencies for vulnerabilities, can now be run as a GitHub Actions workflow, each as hosted or self-hosted runners.
It was beforehand solely utilizing hosted compute, which meant that it couldn’t entry on-premise sources. This additionally meant that logs have been unfold out somewhere else, and one of many requests from customers was to have the ability to see all logs in a single place.
“Builders will see efficiency enhancements, like quicker Dependabot runs and elevated log visibility. APIs and webhooks for GitHub Actions can even detect failed runs and carry out downstream processing ought to builders want to configure this of their CI/CD pipelines,” Carlin Cherry, product supervisor at GitHub, wrote in a weblog publish.
That is a part of GitHub’s long-term technique to consolidate Dependabot totally to GitHub Actions. Over the course of the subsequent 12 months, GitHub will migrate all of Dependabot’s replace jobs to GitHub Actions, resulting in quicker runs, elevated troubleshooting visibility, self-hosted runners, and different advantages, GitHub defined.
In line with GitHub, operating Dependabot doesn’t depend in the direction of GitHub Actions minutes.
