GitHub has launched two updates designed to assist safe software program provide chains. The corporate introduced a public beta of Artifact Attestations for GitHub Actions, which makes it simpler for corporations to confirm the place software program parts got here from, and introduced that Dependabot can now be run as a GitHub Actions workflow.
Artifact Attestation permits maintainers of open-source software program to simply create a paper path for the software program they’re creating, so that customers of that software program can confirm the place it got here from and the way it was created.
The attestations features a hyperlink to the workflow related to the artifact, together with different related info just like the its repository, group, setting, commit SHA, and triggering occasion.
“There’s an rising want throughout enterprises and the open supply ecosystem to have a verifiable method to hyperlink software program artifacts again to their supply code and construct directions. And with greater than 100M builders constructing on GitHub, we wish to guarantee builders have the instruments wanted to assist shield the integrity of their software program provide chain,” Trevor Rosen, employees engineering supervisor for provide chain safety at GitHub, wrote in a weblog submit.
Artifact Attestations is powered by Sigstore, which is an open supply challenge that permits software program artifacts to be signed and verified to advertise better software program integrity.
In accordance with GitHub, the method to arrange an Artifact Attestation is straightforward. Builders should first allow their GitHub Actions workflow to have the ability to write to the attestations retailer, then direct a workflow to create an attestation, and at last, use GitHub CLI to confirm it.
Customers can simply obtain attestation paperwork, which will also be extracted as JSON recordsdata for use in a coverage engine like OPA.
“Artifact Attestations will permit clients unprecedented visibility into the composition and utilization of their constructed software program artifact, and that is just the start. We’ll offer the flexibility to attest different kinds of artifacts related to the construct course of, similar to vulnerability experiences and different items of metadata supported by the in-toto challenge’s outlined predicate varieties. Search for thrilling information round Kubernetes help, new ensures for releases, and extra later this 12 months,” Rosen stated.
Dependabot can now be run as GitHub Actions workflow
Artifact Attestations just isn’t the one announcement from GitHub to pay attention to; The corporate additionally introduced that Dependabot, GitHub’s automated answer for monitoring dependencies for vulnerabilities, can now be run as a GitHub Actions workflow, each as hosted or self-hosted runners.
It was beforehand solely utilizing hosted compute, which meant that it couldn’t entry on-premise assets. This additionally meant that logs have been unfold out elsewhere, and one of many requests from customers was to have the ability to see all logs in a single place.
“Builders will see efficiency enhancements, like sooner Dependabot runs and elevated log visibility. APIs and webhooks for GitHub Actions also can detect failed runs and carry out downstream processing ought to builders want to configure this of their CI/CD pipelines,” Carlin Cherry, product supervisor at GitHub, wrote in a weblog submit.
That is a part of GitHub’s long-term technique to consolidate Dependabot fully to GitHub Actions. Over the course of the following 12 months, GitHub will migrate all of Dependabot’s replace jobs to GitHub Actions, resulting in sooner runs, elevated troubleshooting visibility, self-hosted runners, and different advantages, GitHub defined.
In accordance with GitHub, working Dependabot doesn’t rely in the direction of GitHub Actions minutes.