This repo offers a step-by-step guide on how to establish centralized control for risk management by creating software supply chain components and employing policies. This walkthrough covers the following aspects of the secure software supply chain:

• Generation of the software bill of materials (SBOM) by analyzing source code, dependencies, and container image packages using Microsoft's SBOM tool.
• Production of vulnerability reports using Aquasec's Trivy.
• Signing of both the container image and security artifacts using Notation.
• Bundling of the signatures, security artifacts, and container image (the software release) using ORAS .
• Enforcement of policies through Gatekeeper and Ratify as part of the admission control process.

The following architecture will be provisioned and configured upon successful completion of the walkthrough. For a more detailed breakdown see provisioned infrastructure.

This walkthrough requires the user have certain permissions at the repository level. Fork the repository and work within the fork to make sure all steps can be performed.

It is highly recommended to leverage the supplied Visual Studio Code development container or GitHub Codespaces when working with this walkthrough. The devcontainer, which is also used by Codespaces, includes all the required tooling with no additional steps or configuration.

If not utilizing the devcontainer or Codespaces, review the list of required utilities and verify each is installed and configured.

When working with this walkthrough, there are two pipeline options for building images and artifacts: Azure Pipelines and GitHub Actions. Each option requires a slightly different configuration.

Please ensure the walkthrough environment is up and running before continuing with either pipeline option.

Starting with the desired pipeline option, this guide is composed of five steps:

1. Infrastructure configuration
2. Inspect container images and artifacts
3. Policy definition and assignment
4. Workload deployment and policy enforcement
5. Teardown

• Technology used in this blueprint
• Glossary
• Signing keys and certificates

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.