Tekton Chains

Jan 1, 0001

Definition

Tekton Chains is a component of the Tekton project that focuses on the secure supply chain of software artifacts. It captures metadata about the execution of Tekton Pipelines, such as provenance, and cryptographically signs the outputs to ensure integrity and authenticity. This enables organizations to verify the origin and integrity of their software artifacts, enhancing the security of the CI/CD pipeline.

Secure Settings Example

apiVersion: chains.tekton.dev/v1alpha1
kind: Config
metadata:
  name: chains-config
spec:
  artifacts:
    taskrun:
      format: "in-toto"
      storage: "oci"
      signer: "x509"
  transparency:
    enabled: true
  policy:
    verification:
      requireAttestations: ["slsa-provenance"]
  signing:
    x509:
      fulcio:
        enabled: true

Insecure Settings Example

apiVersion: chains.tekton.dev/v1alpha1
kind: Config
metadata:
  name: chains-config
spec:
  artifacts:
    taskrun:
      format: "simple-signing"
      storage: "tekton"
      signer: "x509"
  transparency:
    enabled: false
  policy:
    verification:
      requireAttestations: []
  signing:
    x509:
      fulcio:
        enabled: false