Blog
  • Welcome to egonzalez blog
  • Software Supply Chain Security
    • Software Supply Chain Security: Why It Matters
    • Software Supply Chain Security: A Technical Deep Dive
    • SLSA and the Software Supply Chain Security: Time to Get Serious
  • Provenance
    • Understanding Provenance in Software Supply Chain Security
  • Building a secure development framework
  • Hacking
    • Index
      • Hack the box writeups
        • Dyplesher HTB writeup
        • Fatty HTB writeup
        • Oouch HTB writeup
        • Sauna HTB writeup
      • Python Vulnerabilities
        • Data Deserialization
          • Pickle
          • XML
          • YAML
      • Hacking cheatsheet
  • DevSecOps
    • Index
      • Gitlab CI minikube development environment
      • Gerrit review minikube
      • Gerrit and gitlab replication and CI job hooks on k8s
      • Vault integration with Gitlab CI
      • Gitlab CI template for DefectDojo
      • Falco real time runtime thread detection on k8s
      • Zarf - Airgap deployment in kubernetes
      • OWASP Dependency-track
      • OpenDaylight in a Docker
      • To conditional or to skip, that's the Ansible question
      • Spacewalk Red Hat Satellite v5 in a Docker container PoC
      • Ansible INI file module
  • OpenStack
    • Index
      • OpenStack tacker and service function chaining sfc with kolla
      • Deploy OpenStack designate with kolla-ansible
      • OpenStack keystone zero downtime upgrade process newton to ocata
      • Midonet integration with OpenStack Mitaka
      • OpenStack kolla deployment
      • Magnum in RDO OpenStack Liberty
      • Nova VNC flows under the hood
      • Ceph Ansible baremetal deployment
      • Rally OpenStack benchmarking with Docker
      • OpenStack affinity/anti-affinity groups
      • Migrate keystone v2.0 to keystone v3 OpenStack
      • Neutron DVR OpenStack Liberty
      • OpenStack segregation with availability zones and host aggregates
      • Nova Docker driver
      • Murano in RDO OpenStack manual installation
      • Ceph RadosGW admin Ops
      • Multiple store locations for glance images
      • List all tenants belonging an user
      • Load balancer as a service OpenStack LbaaS
      • OpenStack nova API start error
      • Delete OpenStack neutron networks
Powered by GitBook
On this page
  • What Is Provenance?
  • Why Provenance Is Important for Security
  • How to Implement Provenance in Software Supply Chain Security
  • SLSA: A Framework for Provenance
  • Challenges and Tips
  • Conclusion

Was this helpful?

  1. Provenance

Understanding Provenance in Software Supply Chain Security

What Is Provenance?

Provenance is a record that tracks the origin and history of something. In the context of software supply chain security, it means knowing exactly where every piece of your software comes from. Think of it as a trail: it shows who wrote the code, what tools were used to build it, and what steps were taken to make the final product.

Why does this matter? Software supply chains are complex. A single app might use code from many developers, libraries from the internet, and tools from different companies. If one part is insecure—like a library with hidden malware—it can put the whole software at risk. Provenance helps us check that every piece is safe and trustworthy.

Why Provenance Is Important for Security

Imagine you’re at a grocery store picking out food for dinner. You look at a pack of chicken. You want to know it’s fresh and safe to eat, right? So, you check the label—it tells you where the chicken came from, when it was packed, and maybe even the farm it was raised on. If the label is missing or looks suspicious, you might not trust it. What if it’s been sitting in a dirty warehouse for weeks? Or worse, what if someone tampered with it and added something harmful? Without that information, you’re taking a risk with every bite.

Provenance is the same for software—it’s the label that tells you the story of what you’re using. Without it, you might download code from an unknown source, like picking up a mystery meat with no packaging. That code could have hidden bugs or malware, just like spoiled food could make you sick. With provenance, you get the full picture: who raised this “software chicken,” how it was “cooked,” and whether it’s safe to “eat.” By tracking provenance, companies can:

  • Find risks: See if any part of the software comes from an untrusted source, like a shady supplier with no history.

  • Fix problems fast: If something goes wrong—like a stomachache from bad food—they can trace it back to the source, whether it’s a buggy library or a hacked tool.

  • Build trust: Customers and users feel safer knowing the software is secure, just like you feel better eating food from a brand you recognize.

In short, provenance is your guarantee that the software won’t “poison” your system, much like a food label protects your health.

How to Implement Provenance in Software Supply Chain Security

So, how do you "do" provenance? It’s not hard, but it takes planning. Here are some practical steps to get started:

  1. Document Everything Keep a record of every component in your software. This includes the code you write, third-party libraries, and tools you use. For example, note the version of a library (like "v1.2.3") and where you got it from (like a trusted website).

  2. Use a Software Bill of Materials (SBOM) An SBOM is a list of all the "ingredients" in your software. It’s like a recipe that says, “This app uses these libraries, this framework, and these tools.” In GitLab, add a CI/CD job to generate it with CycloneDX:

sbom_generate:
  stage: build
  script:
    - cyclonedx-bom -o bom.xml
  artifacts:
    paths:
      - bom.xml

  1. Sign Your Code Use digital signatures to prove who created the software. A signature is like a seal—it shows the code hasn’t been changed by someone else. In GitLab, enable GPG signing in Settings > GPG Keys, then sign commits

  2. Automate the Process GitLab can automate provenance using its CI/CD pipelines and the GitLab Runner. Since version 15.1, the runner can generate provenance metadata if you set the RUNNER_GENERATE_ARTIFACTS_METADATA variable. Here’s an example in your .gitlab-ci.yml:

build_job:
  variables:
    RUNNER_GENERATE_ARTIFACTS_METADATA: "true"
  stage: build
  script:
    - python setup.py sdist
  artifacts:
    paths:
      - dist/

When this job runs on a GitLab Runner (version 15.1 or higher), it produces a metadata file (e.g., $JOB_ID-artifacts-metadata.json) alongside your artifacts. This file follows the SLSA provenance format and includes details like the commit SHA, build time, and runner info.

  1. Verify Before Use Before adding a new library, check its provenance.

  2. Store Provenance Securely Keep your provenance records safe. GitLab stores the metadata file as an artifact automatically. You can also upload it to the Package Registry for long-term access or share it securely with your team.

SLSA: A Framework for Provenance

SLSA, or Supply Chain Levels for Software Artifacts, is a special framework to make software supply chains safer. It was inspired by real-world attacks, like the SolarWinds hack, where bad code slipped into trusted software. SLSA uses levels (0 to 4) to show how secure a software’s supply chain is, and provenance is a key part.

Here’s how SLSA works with provenance:

  • Level 0: No provenance—just basic software with no records.

  • Level 1: Basic provenance, like a list of sources, generated manually or automatically.

  • Level 2: Provenance is generated by a secure build system (e.g., GitLab runners) and signed.

  • Level 3: Adds strict rules, like tamper-proof storage and verified build processes.

  • Level 4: The highest level, with full security and audits.

For example, in GitLab, you can aim for Level 1 by generating an SBOM and provenance file in your pipeline. For Level 2, use signed commits and a dedicated GitLab runner. SLSA makes provenance stronger, helping you fight supply chain attacks.

Challenges and Tips

Implementing provenance isn’t always easy. Some challenges include:

  • Old software: Legacy code might not have good records.

  • Third-party code: Libraries from others can be hard to track.

  • Time and cost: Setting it up takes effort.

To make it smoother, start small. Use provenance for new projects first, then add provenance to older ones. Work with your team to agree on tools and processes, and keep learning as you go.

Conclusion

Provenance is a key part of software supply chain security. It helps us know where our software comes from and ensures it’s safe to use. By documenting components, using SBOMs, signing code, and automaton, companies can protect their software from risks. With frameworks like SLSA, provenance gets even stronger, giving us clear rules to follow. In a world where cyber threats are growing, provenance is like a shield—it builds trust and keeps us secure.

So, next time you build or use software, ask: “Where did this come from?” With provenance, you’ll have the answer.

PreviousProvenanceNextBuilding a secure development framework

Last updated 1 month ago

Was this helpful?