GitHub announces new updates to improve supply chain security


GitHub has released two updates designed to help secure software supply chains. The company announced a public beta of Artifact Attestations for GitHub Actions, which makes it easier for companies to verify where software components came from, and announced that Dependabot can now be run as a GitHub Actions workflow. 

Artifact Attestation allows maintainers of open-source software to easily create a paper trail for the software they are creating, so that consumers of that software can verify where it came from and how it was created.

The attestations includes a link to the workflow associated with the artifact, along with other relevant information like the its repository, organization, environment, commit SHA, and triggering event. 

“There’s an increasing need across enterprises and the open source ecosystem to have a verifiable way to link software artifacts back to their source code and build instructions. And with more than 100M developers building on GitHub, we want to ensure developers have the tools needed to help protect the integrity of their software supply chain,” Trevor Rosen, staff engineering manager for supply chain security at GitHub, wrote in a blog post

Artifact Attestations is powered by Sigstore, which is an open source project that allows software artifacts to be signed and verified to promote greater software integrity. 

According to GitHub, the process to set up an Artifact Attestation is simple. Developers must first enable their GitHub Actions workflow to be able to write to the attestations store, then direct a workflow to create an attestation, and finally, use GitHub CLI to verify it. 

Consumers can easily download attestation documents, which can also be extracted as JSON files to be used in a policy engine like OPA

“Artifact Attestations will allow customers unprecedented visibility into the composition and usage of their built software artifact, and this is just the beginning. We’ll be offering the ability to attest other kinds of artifacts associated with the build process, such as vulnerability reports and other pieces of metadata supported by the in-toto project’s defined predicate types. Look for exciting news around Kubernetes support, new guarantees for releases, and more later this year,” Rosen said. 

Dependabot can now be run as GitHub Actions workflow

Artifact Attestations is not the only announcement from GitHub to be aware of; The company also announced that Dependabot, GitHub’s automated solution for monitoring dependencies for vulnerabilities, can now be run as a GitHub Actions workflow, both as hosted or self-hosted runners. 

It was previously only using hosted compute, which meant that it couldn’t access on-premise resources. This also meant that logs were spread out in different places, and one of the requests from users was to be able to see all logs in a single place. 

“Developers will see performance improvements, like faster Dependabot runs and increased log visibility. APIs and webhooks for GitHub Actions can also detect failed runs and perform downstream processing should developers wish to configure this in their CI/CD pipelines,” Carlin Cherry, product manager at GitHub, wrote in a blog post

This is part of GitHub’s long-term strategy to consolidate Dependabot entirely to GitHub Actions. Over the course of the next year, GitHub will migrate all of Dependabot’s update jobs to GitHub Actions, leading to faster runs, increased troubleshooting visibility, self-hosted runners, and other benefits, GitHub explained. 

According to GitHub, running Dependabot does not count towards GitHub Actions minutes.