Skip to main content

Introduction

Cimon Attest is a powerful tool designed to facilitate SLSA (Supply Chain Levels for Software Artifacts) attestation within the software development and deployment lifecycle. It simplifies the process of generating and managing provenance documents, ensuring the integrity and authenticity of software artifacts.

The Importance of Provenance

Provenance refers to the historical record and origin of a software artifact. It provides transparency and auditable traceability, allowing stakeholders to verify software components' source, modifications, and interactions. Provenance is crucial in establishing the trustworthiness of artifacts and enhancing the security of the software supply chain.

When we address provenance, we refer to the latest v1.0 standard explained here: https://slsa.dev/provenance/v1.

SLSA Compliance

SLSA compliance addresses the need for robust provenance generation and management. As explained in official SLSA standard, even the basic SLSA level (level 1) guidelines for capturing and maintaining provenance information throughout the software lifecycle. Cimon aligns with the SLSA specification and enables organizations to conform to these compliance requirements.

Generating Attestation Documents

To use Cimon, you must create your desired artifacts as part of your standard build process. Once the artifacts are ready, you can call Cimon Attest to generate an attestation document specifically for the artifacts. These documents contain metadata and cryptographic signatures, ensuring the authenticity and integrity of the artifact and its provenance source. Cimon tooling is runner-aware. Hence it identifies the environment in which it runs, captures all relevant information, and forms a verifiable document that can be passed to stakeholders.

Signing Artifacts

Cimon Attest provides the additional capability to sign artifacts using supplied keys or certificates. This enhances the security and trustworthiness of the artifacts, enabling stakeholders to verify their authenticity and integrity. A signed provenance document is a must-have requirement for SLSA 2 and above.

Cimon With Cycode

Cycode enhances the capabilities of Cimon and allows the following:

  • Browse all attestations reports and gain visibility across the organization.
  • Maintain an organization policy, such requirement for signed provenance documents, or specific signer identity.
  • Accessible storage for provenance documents correlated across the SDLC.
  • Reaching SLSA3 level by combining provenance information with CI/CD security capabilities.
  • And more.

If you are interested, please contact us via book a demo.