Skip to main content

New Supply Chain Security Features in Tekton

Today, the Tekton project is announcing four new features that drive advances for software delivery teams looking to secure their supply chains: 

  • Robust provenance
  • Sigstore integration
  • Trusted resources
  • Tekton Catalog now available on Artifact Hub
Tekton Logo

Tekton, one of the CD Foundation’s founding projects, is a powerful and flexible open source framework for creating CI/CD systems, allowing developers to build, test, and deploy across cloud providers and on-premise systems. Today, Tekton is used by many end-user companies, and as a basis for several cloud offerings. It also provides the base platform for a range of open source projects in the CI/CD space and beyond. With these new features, Tekton continues to lead the way for software delivery teams working to build transparency, integrity, and control into their continuous delivery pipelines.

“It’s very difficult to dabble and patch your way to a protected and resilient software supply chain,” said Al Huizenga, the Tekton product manager at Google Cloud. “Developers need to have the right foundational patterns in place to create a secure software supply chain. So as an emerging industry standard framework for continuous delivery, it’s really important that Tekton continues to bake in SLSA standards and controls by default.”

Robust Provenance

Tekton Chains, a sub-project of Tekton focused on supply chain security, has added enhanced capabilities that move the needle on SLSA L2 and L3 provenance requirements. SLSA is a security framework that provides a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. With Chains implemented, Tekton PipelineRuns generate robust, structured provenance statements that include all the information required to reproduce them, including input artifacts (e.g. source code, container images), output artifacts (e.g. executables, container images), the build resources themselves (e.g. the YAML files that define the build pipeline), and runtime build system configuration.

Sigstore Support Leaves Experimental

Sigstore logo

Sigstore is an open source project part of the OpenSSF that aims to improve the security and transparency of software supply chains by providing an easy way to securely sign software artifacts. With Tekton Chains integration users can use Sigstore to sign artifacts easily without needing to provision long-lived keys using Sigstore Keyless Signing, with signatures and attestations able to be published to the Sigstore Transparency Log for everyone to verify.

You can view Tekton Pipelines own releases on the transparency log: https://search.sigstore.dev/?logIndex=15670208

“Sigstore has been gaining adoption in many developer communities, and Tekton Chains is thrilled to be a part of it,” says Billy Lynch, Software Engineer at Chainguard and maintainer of projects for both Tekton and Sigstore. “Being able to sign artifacts without needing to worry about keys goes a long way to help developers secure their supply chains without needing to worry about the complexities of key management”.

Trusted Resources

A supply chain is only secure if the build instructions themselves are secure. Tekton’s new Trusted Resources feature provides a set of tools that teams can use to ensure they only use trusted build instructions that haven’t been tampered with. They can use the Tekton CLI to sign YAML files with public-key cryptography, and then verify the signatures at build time. They can also define a set of policies that define which resources need to be signed, and what happens when verification fails.

Tekton Catalog on Artifact Hub

Tekton’s community-built catalog of reusable tasks is now available on Artifact Hub, a Cloud Native Computing Foundation project that makes it easy to find, analyze, install, and use packages and configurations used for continuous delivery. The Artifact Hub lays out all of the information you need to evaluate and use Tekton Catalog tasks, including version and release history, the container images used by the tasks, and the results of regular container image security scans.

Get Involved

Want to leave feedback or get more involved in Tekton development? Check out our community page for how to get started!