GitHub is taking a step forward to help companies improve supply chain security with the release of Artifact Attestations. This new feature allows GitHub users to verify the integrity of GitHub Actions artifacts before they choose to deploy them into their Kubernetes cluster.

Artifacts in GitHub are files or collections of files that were created during a workflow run, such as build or test output. 

Attestations include a link to the workflow associated with the artifact, along with other relevant information like its repository, organization, environment, commit SHA, and triggering event. 

According to GitHub, Artifact Attestations are powered by Sigstore, which is an open source project that allows software artifacts to be signed and verified to promote greater software integrity. 

Along with this general availability release, GitHub also is now offering a new way to build Kubernetes admission controllers that allows developers to validate attestations from within Kubernetes clusters. According to GitHub, this ensures that only properly validated artifacts get deployed.

“By integrating Artifact Attestations into your GitHub Actions workflows, you enhance the security of your development and deployment processes, protecting against supply chain attacks and unauthorized modifications,” GitHub wrote in a blog post

You may also like…

Sonatype shines light on current state of supply chain security in latest report

OpenSSF, CISA, and DHS collaborate on new open-source project for creating SBOMs