SOSS Community Day Japan 2024

OpenSSF Scorecard and Allstar are tools for automatically scanning source code repositories for security misconfigurations. Scorecard looks at a GitHub or GitLab project’s source code, CI workflows, and repository settings and provides an actionable list of findings for a maintainer to improve their project’s security practices. Allstar is a way to run security analysis at scale, and automatically remediate issues. This talk will focus on one specific use case that blue teams face: how can Scorecard be used to secure first party repos? Is there a way to integrate Scorecard into an actual development process so that it doesn’t just detect an issue, but prevents it from being introduced into the supply chain? There are two aspects to this answer: infrastructure and policy. We’ll look at how probes enable the creation of granular policies, data pipelines for gathering results from probe runs, and techniques for shifting Scorecard scans left with pre-commit GitHub Actions.

In recent years, supply chain security is strongly required as a mechanism to objectively and rationally ensure security concerning organizations, systems, products, services, and data with respect to trading partners and other stakeholders. Modern software development has become more complex due to the proliferation of multiple suppliers, vendors, and open source software (OSS), and this has increased the possibility of vulnerabilities being introduced by suppliers and the risk of attacks exploiting the supply chain in the software supply chain. This is the reason why the software supply chain is becoming more and more complex. Therefore, it is important to understand and manage security risks throughout the software supply chain. The presentation will compare SCAP, which has been used for a long time, and SBOM (Software Bill of Materials), which has been attracting attention in recent years, as a method for supply chain security, explaining the features of each, and discussing the possibilities of utilizing the tools in the future.

In the cloud-native landscape, the integration of security into the CI/CD pipeline is not just a best practice—it's a necessity. ArgoCD has emerged as the leading GitOps controller for Kubernetes, automating deployments with precision. However, ensuring that every deployment is secure requires more than just automated workflows; it demands continuous security checks before, during, and after the deployment process. This talk will demonstrate how the combination of ArgoCD and Kubescape, a powerful open-source Kubernetes security tool, delivers a comprehensive security solution for Kubernetes deployments. We will walk through setting up an end-to-end workflow that integrates security checks into every stage of the deployment process. Attendees will learn how to implement security gates that assess vulnerabilities in container images and Kubernetes configurations before any changes are committed and receive real-time alerts if vulnerabilities are detected in production. By the end of this talk, participants will be equipped to enhance their GitOps workflows with robust security practices, making their Kubernetes deployments more resilient and secure.