https://thesecuresoftwarefactory.github.io/ssf

https://thesecuresoftwarefactory.github.io/ssf

Last synced: 8 months ago
JSON representation

• Host: GitHub
• URL: https://thesecuresoftwarefactory.github.io/ssf
• Owner: buildsec
• License: apache-2.0
• Created: 2021-10-21T21:03:06.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-03-01T17:42:29.000Z (8 months ago)
• Last Synced: 2025-03-01T18:33:30.474Z (8 months ago)
• Language: CUE
• Homepage: https://buildsec.github.io/frsca
• Size: 4.49 MB
• Stars: 232
• Watchers: 13
• Forks: 31
• Open Issues: 39
• Metadata Files:
  • Readme: README.md
  • Contributing: .github/CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Codeowners: .github/CODEOWNERS

Awesome Lists containing this project

• awesome-software-supply-chain-security - SSF | The Secure Software Factory - chain-examples](https://github.com/mlieberman85/supply-chain-examples) (Frameworks and best practice references / Supply chain beyond libraries)

README

          
# FRSCA

[![OpenSSF

-Scorecard](https://api.securityscorecards.dev/projects/github.com/buildsec/frsca/badge)](https://api.securityscorecards.dev/projects/github.com/buildsec/frsca)







## About The Project

Factory for Repeatable Secure Creation of Artifacts (aka FRSCA pronounced

Fresca) aims to help secure the supply chain by securing build pipelines.

It achieves its goals by being 2 things:

1. A suite of build, pipeline, signing, visibility, identity, and policy tools

   configured to operate securely.

2. A set of build pipeline abstractions and definitions with security guardrails

   ensuring all builds follow supply chain security best practices.

At its core FRSCA uses these projects to achieve its goals:

- [Kubernetes] - For control plane

- [Tekton Pipelines] - For build pipelines

- [Tekton Chains] - For pipeline task observation

- [Sigstore] - For signing software, attestations, SBOMs and other metadata

- [SPIFFE/Spire] - For build workload identities

- [Vault] - For secrets management

- [Helm] and [CUE] - For provisioning kubernetes resources

- [CUE] - For secure pipeline abstractions and definitions

See:

[Architecture Docs](https://buildsec.github.io/frsca/docs/getting-started/architecture/)

for more info

FRSCA is also an implementation of the CNCF's

[Secure Software Factory Reference Architecture](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf)

which is based on the CNCF's

[Software Supply Chain Best Practices White Paper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf).

It is also intended to follow [SLSA](https://slsa.dev) requirements closely and

generate in-toto attesttations for SLSA provenance predicates.

_NOTE_: FRSCA is under very active development. A lot will change, it isn't

production ready yet.

## Quickstart

To quickly provision a Minikube cluster with FRSCA deployed and run an example

pipeline run:

```bash

# Install and setup minikube (run only if need a local k8s)

make setup-minikube

make setup-frsca

```

This will perform the following actions:

1. Install and setup minikube, and supporting cli tools, like `cosign` and `jq`

   if they are not already installed.

1. Install development tooling to simulate a production environment, which

   includes:

   1. [Cert-manager]

   1. [registry]

   1. [SPIFFE/Spire]

   1. [Vault]

1. Install and setup FRSCA's components which include:

   1. [Tekton Pipelines]

   1. [Tekton Chains]

   1. [Kyverno]

1. Setup a mirror of example repositories and tekton triggers for each mirror.

Once FRSCA has been installed you can follow the various examples under

`/examples`.

Tearing down the Minikube cluster generated in the quickstart, simply run:

```bash

make teardown

```

## Going further

The full documentation is available at 

## Community

It is a project under the [OpenSSF](https://openssf.org/)

[Supply Chain Integrity Working Group](https://github.com/ossf/wg-supply-chain-integrity).

Community meetings every other Wednesday at 10AM Eastern - See OpenSSF

[community calendar](https://calendar.google.com/calendar/u/0?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ)

for more info.

Slack channel: #frsca on [OpenSSF slack](https://slack.openssf.org/)

### Built With

Platform:

- [Kyverno]

- [Kubernetes]

- [Tekton Pipelines]

- [Tekton Chains]

- [SPIFFE/Spire]

- [Vault]

Tooling:

- [Cosign/Sget]

- [Crane]

- [Cue]

- [Make]

- [Rekor CLI]

- [Helm]

[tekton chains]: https://github.com/tektoncd/chains

[tekton pipelines]: https://tekton.dev/

[kyverno]: https://kyverno.io/

[kubernetes]: https://k8s.io/

[spiffe/spire]: https://spiffe.io/

[cosign/sget]: https://github.com/sigstore/cosign

[crane]: https://github.com/google/go-containerregistry

[cue]: https://cuelang.org/

[make]: https://www.gnu.org/software/make/

[rekor cli]: https://github.com/sigstore/rekor

[vault]: https://www.vaultproject.io/

[helm]: https://helm.sh/

[sigstore]: https://www.sigstore.dev/

[cert-manager]: https://cert-manager.io/

[registry]: https://hub.docker.com/_/registry