Who Are You Building For: Pipelines Have a Purpose
Software is built for a purpose. The same property applies to build platforms!
We will show you how we are leveraging Tekton and Tekton Chains at Red Hat to create a build platform that meets developers where they are at. Developers start with the pipeline defined in their git repository – free for them to modify and update on their terms, with Tekton tasks ready to scan artifacts for vulnerabilities and Renovate pre-configured to help keep dependencies up to date.
This platform helps make sure that the artifacts are going somewhere. Using the detailed SLSA Provenance generated by Tekton Chains, the build platform enables policy driven development. Developers can see in their PRs whether they are on track to meet the target’s requirements – whether it is pushing to a development or production environment. Gone are the days saying “I didn’t know I had to do that!”
We won’t send the artifacts just anywhere, however, as we can tailor policies to ensure that you are meeting all of the requirements. The platform can inspect the provenance to ensure that artifacts are built using trusted steps and all required checks are good for takeoff!
Trust Model Layers
- Foundation: K8s + Tekton
- Trusted Task Library: Community-contributed verified tasks
- Trusted Artifacts: Tamper-proof data flow
- Observer Generated Attestations: Independent SLSA provenance
- Policy Engine: Automated compliance guidance (Conforma)
- Release Service: Build once, release everywhere
Links
- Event: OpenSSF Community Day NA
- Session: sched.co
- Konflux: konflux-ci.dev
- Tekton Chains: tekton.dev
- Conforma: conforma.dev
- Hermeto: hermetoproject.github.io
Speakers: Andrew McNamara & Julen Landa Alustiza, Red Hat