Who Are You Building For: Pipelines Have a Purpose
Andrew McNamara & Julen Landa Alustiza, Red Hat
Open Source Summit North America 2025
Why care about pipelines?
.footnote[ Source: https://slsa.dev/spec/v1.1/threats-overview ]
Pipeline security vs developer experience
🚀 What Developers Want
- Fast iteration cycles
- Simple onboarding
- Flexible workflows
- Clear feedback
🔒 Typical Security
- Checkbox-driven security
- Few, restrictive configurations
- Late-stage feedback
- Developer friction
How do we achieve what developers want securely?
Pipeline security vs developer experience
🚀 What Developers Want
- Fast iteration cycles
- Simple onboarding
- Flexible workflows
- Clear feedback
🔒 Typical Security
- Checkbox-driven security
- Few, restrictive configurations
- Late-stage feedback
- Developer friction
Design philosophy
🎯 Security by Default
- Immediate protection: SLSA Build Level 3 from the first build
- Minimal configuration: Secure defaults work out of the box
- See vulnerabilities: Scanners configured and ready to run
- Progressive enhancement: Add custom tasks and scans as necessary
- Accurate SBOMs: Configure network restricted builds with "Hermeto"
🔄 Policy driven development
- Early detection: Find issues in development
- Learning opportunities: Violations become education
- Continuous improvement: Policies evolve with team
- Flexibility allowed: Policies allow for some changes
Building up trust in the platform
Destination specific policies
Guidance at the right time
Fine-grained SLSA provenance
Tamper-proof data flow
Vetted build steps
Secure execution environment
Quick Onboarding - From Zero to Building
🚀 Getting Started
- Point Konflux at your repository
- Get a default build pipeline
- See your first build succeed
- Understand what happened
Quick Onboarding - From Zero to Building
Quick Onboarding - From Zero to Building
Built-in Security Tasks
🔍 Security Integration
- Vulnerability scanning with Clair
- SAST analysis
- Malware scanning with ClamAV
Policy-driven development in practice
Hermetic Builds + Prefetch
- Policies integrated into workflow
- Immediate feedback in PRs
- Clear violation descriptions
- Suggested remediation steps
Hermetic Builds + Prefetch
- Hermetic: No network access during build
- Prefetch: Build platform controls dependency download
- Reproducible: Same inputs = same outputs
- Auditable: Complete dependency record in SBOM
# Enable hermetic builds and prefetch
# gomod
spec:
  params:
    - name: hermetic
      value: 'true'
    - name: prefetch-input
      value: '{"type": "gomod", "path": "."}'
# Enable hermetic builds and prefetch
# Multiple package managers
spec:
  params:
    - name: hermetic
      value: 'true'
    - name: prefetch-input
      value: '[
        {"type": "pip", "path": "."},
        {"type": "npm", "path": "."}
      ]'
Hermetic Builds + Prefetch
Automated Dependency Updates
🤖 MintMaker
- Automated security updates
- Policy-compliant updates
- Tested before merging
Triggering Releases
🚀 Release Service
- Build once, release multiple times
- Destination-specific policies
- Automated promotion gates
- Official releases
- Developer releases
Key Takeaways for Developers
What developers get
Made possible by Konflux
- Start quickly
- Working pipeline in minutes
- With full control
- Pipeline lives in your repo
- Progressively adding security
- Add protections incrementally
- Planning for compliance
- Policy violations prep for release
- And automated maintenance
- Security updates handled
- Built on a strong foundation
- Trust established on a task level
- Observer-generated attestations
- Policy-driven development
- Build once, automate release
More talks about Konflux
- Monday, June 23 (cdCon)
- Lock the Chef in the Kitchen: Enabling Accurate SBOMs Via Hermetic Builds
- Wednesday, June 25 (cdCon)
- Not Just Ticking a Box ☑️ Establishing Trust in Artifacts with Provenance 🔐🔗
- Wednesday, June 25 (OpenGovCon)
- Building Trust Through Proactive Security - Key Parts of the Trusted Software Supply Chain
- Thursday, June 26 (OpenSSF Community Day)
- Who Are You Building For: Pipelines Have a Purpose
Thank you!
@arewm
arewm@redhat.com
@Zokormazo
julen@redhat.com
konflux-ci.dev
hermetoproject.github.io/hermeto
conforma.dev