Cimon Attest is a powerful tool designed to facilitate SLSA (Supply Chain Levels for Software Artifacts) attestation within the software development and deployment lifecycle. It simplifies the process of generating and managing provenance documents, ensuring the integrity and authenticity of software artifacts.
The Importance of Provenance
Provenance refers to the historical record and origin of a software artifact. It provides transparency and auditable traceability, allowing stakeholders to verify software components' source, modifications, and interactions. Provenance is crucial in establishing the trustworthiness of artifacts and enhancing the security of the software supply chain.
When we address provenance, we refer to the latest v1.0 standard explained here: https://slsa.dev/provenance/v1.
SLSA compliance addresses the need for robust provenance generation and management. As explained in official SLSA standard, even the basic SLSA level (level 1) guidelines for capturing and maintaining provenance information throughout the software lifecycle. Cimon aligns with the SLSA specification and enables organizations to conform to these compliance requirements.
Generating Attestation Documents
To use Cimon, you must create your desired artifacts as part of your standard build process. Once the artifacts are ready, you can call Cimon Attest to generate an attestation document specifically for the artifacts. These documents contain metadata and cryptographic signatures, ensuring the authenticity and integrity of the artifact and its provenance source. Cimon tooling is runner-aware. Hence it identifies the environment in which it runs, captures all relevant information, and forms a verifiable document that can be passed to stakeholders.
Cimon Attest provides the additional capability to sign artifacts using supplied keys or certificates. This enhances the security and trustworthiness of the artifacts, enabling stakeholders to verify their authenticity and integrity. A signed provenance document is a must-have requirement for SLSA 2 and above.
Cimon integrates seamlessly with Azure Pipelines, making it easy to incorporate into your CI workflows. The core component is the CimonAttest custom task, which allows you to invoke Cimon within your Azure Pipelines builds.
While Cimon currently supports only Azure Pipelines, future releases will extend support to other popular CI systems like GitHub.
Dive deeper into Cimon Attest's capabilities by reading the following topics: