Jenkins X is a cloud native CI/CD platform built on top of kubernetes with out of the box support for gitops, secrets management, preview environments, chatops and much more. In order to provide all these functionalities, Jenkins X uses many open source projects as part of it's supply chain in the form of go modules, npm packages, helm charts, docker images and terraform modules to name a few. In the light of the recent high profile supply chain exploits and attacks (solarwinds, codecov etc), securing the open source supply chain becomes critical for us and our end users. But how do we even keep track of all the packages that make up our supply chain and then secure it? We started by generating SBOMs (Software Bill Of Materials) for our artifacts and using vulnerability scanners to identify potential vulnerabilities. Currently, we are in the process of integrating with tekton chains. This talk is an attempt to summarize our supply chain security journey and what we plan to achieve in the future. We will explore the fascinating world of SBOMs, SLSA (Supply chain Levels for Software Artifacts) levels and in-toto attestations. More importantly, there will be some practical examples of the abstract concepts around supply chain security and how Jenkins X attempts to make a secure supply chain accessible to everyone.
