By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Resources
>
Blog
>
Article
A spot illustration of Github artifact attestation
May 17, 2024

Lowering the Barrier of Entry for Automated Governance — GitHub's New Artifact Attestation Feature

GitHub's new Artifact Attestations feature represents a significant advancement for streamlining Governance, Risk, and Compliance (GRC) processes. By integrating attestation creation directly into GitHub Actions, it simplifies the adoption of automated governance for teams and reduces the need for custom development.

Introduction

GitHub's recent blog on Artifact Attestations is great news for organizations on the path to automate their Governance, Risk, and Compliance (GRC).  Before we dive too deep into GitHub's new Artifact Attestations feature, let’s take a step back and do a quick recap of the domain it fits into — Automated Governance. Automated Governance goes by many aliases — Governance, Risk, and Compliance (GRC) engineering, policy as code, etc. — and while industry experts might differentiate between some of these elements, the desired outcome is the same: improving the security and compliance of artifacts created by software supply chains in an automated fashion.

At a high level, Automated Governance refers to the ability to provide the collection, attestation, policy evaluation, and enforcement of an organization’s GRC standards throughout the software development lifecycle. With that in mind, let's talk about why GitHub’s Artifact Attestations feature is a big deal and what challenges still exist when implementing Automated Governance.

GitHub Artifact Attestations: What Excites Us the Most

  • Integrating the attestation element of the GRC process in the same platform as SCM, CI/CD, and even your security validations reduces the need for platform engineering teams to host a Sigstore stack.
  • It significantly lowers the barrier of entry for product and platform teams using GitHub to adopt Automated Governance by getting a major component out of the box. All that is needed to get started is to add some YAML to your GitHub Actions workflow for attestation creation and leverage the GitHub CLI tool for the verification and policy evaluation step.
A diagram of how Github Artifact Attestation works
https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
  • GitHub now provides three new GitHub Actions: actions/attest-build-provenance and actions/attest-sbom to support provenance and SBOM attestations, respectively, and a generic actions/attest that can be extended to other predicate types. Prior to this update, our customers would need to create their own build images with the Sigstore tooling and write their own pipeline automation to enable the collection, attestation, policy evaluation, and enforcement functionality.
  • The technology and approach is directly aligned with Liatrio’s POV on how organizations should implement Automated Governance. Last year, Liatrio created a GitHub reference implementation of an app and the accompanying trusted build actions and released a video guide as reference. GitHub’s supported workflow saves ~ 100 lines of code from the workflow steps. Organizations no longer need to implement their own provenance step nor the sbom step, instead teams can simply call GitHub’s Action(s) directly.
  • If that’s not enough reason to be excited, GitHub is also hosting a Sigstore instance for private repos, while public repos will leverage Sigstore’s public good instance.  This is one less production workload that needs to be run and maintained.
  • GitHub is now an approved root certificate authority. This means that customers and open source projects now have a path for signing artifacts without having to build out PKI or manage secrets, which could be leaked or lost.
  • SBOMs can now be easily associated with an artifact via GitHub’s attest-sbom action which will automatically wrap an SBOM it is provided with in an in-toto predicate, sign it using GitHub’s internal Sigstore, associate it with the artifact, and store it in GitHub’s attestation store.

All of these features are accelerators in adoption and rollout and help democratize Automated Governance. This showcases a significant investment in engineering time and underscores GitHub’s commitment to be the top-tier engineering platform of choice.

Challenges of Automated Governance

Although this is great progress, there are still many challenges for organizations to overcome when adopting Automated Governance. The biggest one we have encountered working with highly regulated enterprises is getting the GRC team aligned with the tech. From our experience, auditors and people in charge of risk are not easily excited about CLI tools and CI/CD pipelines; they need to see how GRC Engineering makes their job easier by creating a mechanism to easily summarize the risk profile of an artifact for production with the ability to drill down to the actual event occurrence.

Why Automated Governance Should be on your Radar

  • The use of open source projects is very prevalent in enterprises, and having unforgeable proof that an artifact is from a trusted source is imperative.
  • The Whitehouse’s Executive Order (EO 14028) is just the beginning of the need for a sharper focus on enhancing the nation's cybersecurity and is currently impacting government contractors. We predict that this will be a far more wide-sweeping requirement for commercial applications in the near term.
  • Lack of visibility of artifacts deployed in production can put your organization at risk. A narrow view into a limited subset of the software supply chain means the entire delivery system is at risk.
  • Traditional — often manual — governance processes act as a bottleneck and hinder fast iteration. Automated Governance can scale to keep up with modern software delivery practices without sacrificing security.

Conclusion

GitHub’s new Artifact Attestations feature marks a significant step forward for organizations seeking to automate their GRC processes. Integrating attestation capabilities into the GitHub platform lowers the barrier of entry for teams to adopt Automated Governance practices and reduces the need for custom solutions. The provision of out-of-the-box actions for provenance and SBOM checks, along with an extensible generic attest action that customers can leverage and promised support for new predicate types in the future makes it easy for teams to integrate attestations into their existing workflows. Additionally, GitHub’s role as an approved root certificate authority further enhances trust and security in the software supply chain.

Despite these advancements, challenges remain, particularly in aligning GRC teams with technical implementations. One of the advantages of running your own Sigstore stack is having access to all attestations, which can be plugged into visualization tools such as Grafana to draw insights. To support this, GitHub could make an organization’s attestations exportable or enable support for visualizations inside their platform. Ultimately, GitHub’s investment in Automated Governance underscores their commitment to empowering organizations with robust, scalable, and secure development practices, paving the way for a future where compliance and innovation can coexist seamlessly.

Read Github's full blog about Artifact Attestations here: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/


Ready to get started?

Contact Us

We'd love to learn more about your project and determine how we can help out.