ARGO-SLSA: software supply chain security in argo workflows

Abstract

Kubernetes has become the de facto standard when it comes to managing microservices. Automating complex, multi-step workflows is a common requirement in Kubernetes. Argo Workflows is a Kubernetes-native engine for managing these workflows in an automated fashion. These workflows generate artifacts such as executables, logs, container images, and packages. These artifacts require proper governance. Open-Source Security Foundation (OpenSSF), in collaboration with Google, introduced Supply-chain Levels for Software Artifacts (SLSA), a security governance framework that includes detailed technical requirements for producing artifacts. However, Argo Workflows doesn't have any built-in ways to provide the ability to incorporate the SLSA framework. This vacuum creates silos because practitioners need to rely on third-party tools to meet software supply chain security standards. This paper proposes a Kubernetes-native controller written to run in parallel to the existing open-source Argo Workflows to enhance the security of artifacts. Cryptographic signing and provenance attestations for the artifacts produced by the controller, which allows Argo Workflows to comply with SLSA standards. Evaluations were conducted in a real-world, self-hosted environment to demonstrate ARGO-SLSA’s ability to elevate artifacts to Level 2 of the SLSA compliance build track. Experimental results indicate that the ARGO-SLSA controller surpasses existing software supply chain security solutions.