GitHub has launched two updates designed to assist safe software program provide chains. The corporate introduced a public beta of Artifact Attestations for GitHub Actions, which makes it simpler for corporations to confirm the place software program elements got here from, and introduced that Dependabot can now be run as a GitHub Actions workflow.
Artifact Attestation permits maintainers of open-source software program to simply create a paper path for the software program they’re creating, so that buyers of that software program can confirm the place it got here from and the way it was created.
The attestations features a hyperlink to the workflow related to the artifact, together with different related data just like the its repository, group, atmosphere, commit SHA, and triggering occasion.
“There’s an growing want throughout enterprises and the open supply ecosystem to have a verifiable solution to hyperlink software program artifacts again to their supply code and construct directions. And with greater than 100M builders constructing on GitHub, we need to guarantee builders have the instruments wanted to assist defend the integrity of their software program provide chain,” Trevor Rosen, workers engineering supervisor for provide chain safety at GitHub, wrote in a weblog publish.
Artifact Attestations is powered by Sigstore, which is an open supply mission that enables software program artifacts to be signed and verified to advertise better software program integrity.
In line with GitHub, the method to arrange an Artifact Attestation is easy. Builders should first allow their GitHub Actions workflow to have the ability to write to the attestations retailer, then direct a workflow to create an attestation, and eventually, use GitHub CLI to confirm it.
Customers can simply obtain attestation paperwork, which can be extracted as JSON information for use in a coverage engine like OPA.
“Artifact Attestations will enable prospects unprecedented visibility into the composition and utilization of their constructed software program artifact, and that is just the start. We’ll offer the power to attest different kinds of artifacts related to the construct course of, reminiscent of vulnerability reviews and different items of metadata supported by the in-toto mission’s outlined predicate varieties. Search for thrilling information round Kubernetes help, new ensures for releases, and extra later this 12 months,” Rosen mentioned.
Dependabot can now be run as GitHub Actions workflow
Artifact Attestations just isn’t the one announcement from GitHub to pay attention to; The corporate additionally introduced that Dependabot, GitHub’s automated resolution for monitoring dependencies for vulnerabilities, can now be run as a GitHub Actions workflow, each as hosted or self-hosted runners.
It was beforehand solely utilizing hosted compute, which meant that it couldn’t entry on-premise assets. This additionally meant that logs had been unfold out somewhere else, and one of many requests from customers was to have the ability to see all logs in a single place.
“Builders will see efficiency enhancements, like quicker Dependabot runs and elevated log visibility. APIs and webhooks for GitHub Actions may also detect failed runs and carry out downstream processing ought to builders want to configure this of their CI/CD pipelines,” Carlin Cherry, product supervisor at GitHub, wrote in a weblog publish.
That is a part of GitHub’s long-term technique to consolidate Dependabot solely to GitHub Actions. Over the course of the following 12 months, GitHub will migrate all of Dependabot’s replace jobs to GitHub Actions, resulting in quicker runs, elevated troubleshooting visibility, self-hosted runners, and different advantages, GitHub defined.
In line with GitHub, operating Dependabot doesn’t rely in direction of GitHub Actions minutes.