Let Devs Be Devs Without Sacrificing Security

Resources:

• View Slides (PDF)
• Watch Recording
• Session Details

Proof of concept code doesn’t need to meet the same requirements as production quality critical infrastructure applications. If the requirements are the same, however, you probably have a long line of devs frustrated and angry they can’t innovate or get their code tested. But maintaining (and auditing) multiple pipelines to achieve various levels of hardening is not realistic.

Detailed SLSA provenance and policy enforcement can work together to create flexible and adaptive pipelines for all your software security needs. Join us and learn how we’ve combined Tekton, Tekton Chains, and Enterprise Contract within our production CI to build out a secure, flexible framework. This combination lays down a secure foundation to freely build a variety of artifacts and apply risk-based policies to prevent unacceptable software from getting into your systems. Want to use the same pipeline to build software for dev and prod? No problem – just make sure that there is an appropriate policy for each!

Resources

• Event: SOSS Community Day Europe 2024, Vienna, Austria
• Konflux CI/CD Platform: konflux-ci.dev
• Tekton Pipelines: tekton.dev
• Tekton Chains: tekton.dev/docs/chains
• SLSA Framework: slsa.dev
• Conforma Policy Engine: conforma.dev