We are excited to announce the addition of pipeline metadata tracking, now available in HCP Packer. HCP Packer is a powerful tool that provides image lifecycle management at scale across any cloud and on-premises environments. With this addition, users can now track which CI/CD tools were used in the image-building process through integrations with GitHub and GitLab. This enhancement helps lay the foundation for a secure build pipeline and grants HCP Packer level 1 compliance with SLSA (Supply-Chain Levels for Software Artifacts).
Artifact provenance challenges
As the security demands on the software supply chain grow, organizations recognize the need for provenance of their base images and build artifacts. Artifact provenance includes verifiable information about the creation and configuration of image builds. Without a clear lineage of where, how, and by whom each artifact was built, it can be difficult to verify an artifact's legitimacy and compliance. Organizations must ensure they employ only trusted artifacts, validated at each stage of their lifecycle, to maintain the integrity and security of their software.
Improving build visibility
HCP Packer now provides the ability to track pipeline metadata in the artifact registry. This includes critical CI/CD information such as pipeline IDs, job names, details on the operating system, VCS commits, and more. For a full list of the details captured, please refer to the build pipeline metadata reference.
This addition grants HCP Packer level 1 SLSA compliance by providing a basic level of source code identification that can help organizations make risk-based security decisions. With this visibility, organizations can shift their security left and address risks earlier in the infrastructure deployment process.
Pipeline metadata tracking builds on our initiative to enhance metadata visibility within HCP Packer, with recent additions including Packer version and plugin version tracking. It marks another step towards complete artifact provenance to help organizations gain full visibility into their images and keep their build pipelines secure.
Learn more
To learn more about pipeline metadata in HCP Packer, please refer to the build pipeline metadata documentation and the Automate Packer with GitHub Actions tutorial.
Get started with HCP Packer for free to track and manage artifacts across all your cloud environments.
from HashiCorp Blog https://ift.tt/8Ph7MX1
via IFTTT
No comments:
Post a Comment