mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-05 23:38:57 +03:00
2.8 KiB
2.8 KiB
Workflows - Supply Chain Security with in-toto
Implementation Workflow
Phase 1: Layout Design
- Map your CI/CD pipeline steps (source, build, test, scan, package, push)
- Identify functionaries for each step (CI runner, scanner, reviewer)
- Define artifact flow between steps (what inputs/outputs)
- Generate signing keys for each functionary
- Create and sign the supply chain layout
Phase 2: Pipeline Integration
- Wrap each CI/CD step with
in-toto-runto generate link metadata - Configure key management (Vault, KMS, or Sigstore keyless)
- Store link metadata alongside build artifacts
- Verify supply chain at end of pipeline before push to registry
- Attach attestations to container images via cosign
Phase 3: Deployment Verification
- Deploy admission webhook for in-toto verification
- Configure policy engine to require valid attestations
- Test with known-good and known-bad attestation chains
- Enable enforcement mode to block unverified images
- Monitor verification failures and alert on anomalies
CI/CD Pipeline Integration
GitHub Actions Example
jobs:
build:
steps:
- uses: actions/checkout@v4
- name: Record checkout step
run: |
in-toto-run --step-name checkout \
--key ${{ secrets.BUILDER_KEY }} \
--products Dockerfile src/* \
-- echo "checkout complete"
- name: Build and record
run: |
in-toto-run --step-name build \
--key ${{ secrets.BUILDER_KEY }} \
--materials Dockerfile src/* \
--products image-digest.txt \
-- docker build -t app:${{ github.sha }} .
- name: Scan and record
run: |
in-toto-run --step-name scan \
--key ${{ secrets.SCANNER_KEY }} \
--materials image-digest.txt \
--products vuln-report.json sbom.json \
-- trivy image app:${{ github.sha }}
- name: Verify chain
run: |
in-toto-verify --layout root.layout \
--layout-key keys/owner.pub
Key Rotation Workflow
- Generate new key pair for the functionary
- Update the supply chain layout with new public key
- Re-sign the layout with the owner key
- Distribute new private key to the functionary (via secrets manager)
- Revoke the old key after transition period
- Verify builds use new key going forward
Incident Response Workflow
Supply Chain Compromise Detected
- Identify which step's attestation is invalid or missing
- Check if functionary key was compromised
- Review link metadata for the affected step
- Compare artifact hashes against known-good builds
- If compromise confirmed: revoke affected keys, rebuild from verified source
- Update layout to add additional verification requirements