Chapter 1. Conforma for RHADS - SSC

Conforma is a policy-driven workflow tool for maintaining software supply chain security by defining and enforcing policies for building and testing container images.

The more complex a software supply chain becomes, the more critical it is to employ reliable checks and best practices to guarantee software artifact integrity, as your image containers, and source code dependability. This is where Conforma streamlines Red Hat Advanced Developer Suite - software supply chain (RHADS - SSC) build and deploy experience.

For a build system that creates Supply-chain Levels for Software Artifacts (SLSA) provenance attestations, such as Tekton with Tekton Chains and GitHub Actions with the SLSA GitHub Generator, checking the signatures and confirming that the contents of the attestations actually match what is expected is a critical part of verifying and maintaining the integrity of your software supply chain. A secure CI/CD workflow should include artifact verification to detect problems early. Conforma validates that a known and trusted build system signs and attests the container image.

The general steps for validating a signed and attested container image are as follows:

Signed software artifacts like container images are at a significantly lower risk of several attack vectors than unsigned artifacts. When a container image is signed, various cryptographic techniques bind the image to a specific entity or organization. The result is a digital signature that verifies the authenticity of the image so that you can trace it back to its creator and also verify that the image was not altered or tampered with after it was signed.

Conforma uses the industry standard Sigstore and Cosign as a resource library to validate your container images. With Red Hat Trusted Artifact Signer, Red Hat’s supported version of the Sigstore framework, you can use your own on-premise instance of Sigstore’s services to sign and attest your container images with the Cosign CLI.

As for software artifact attestation, it cannot happen without provenance. Provenance is the verifiable information about software artifacts like container images that describes where, when, and how that artifact was produced. The attestation itself is an authenticated statement, in the form of metadata, that proves that an artifact is intact and trustworthy. Conforma uses that attestation to cryptographically verify that the build was not tampered with, and to check the build against any set of policies, such as SLSA requirements. .

When you push your code from either the RHADS - SSC development namespace to the stage namespace, or from the stage namespace to the production namespace, Conforma automatically runs its validation checks to make sure your container image was signed and attested by known and trusted build systems. When your image passes the Conforma check, you can merge your code changes to complete your promotion from one environment to the next.