The DSSE implementation added to in-toto-golang has now been split into its own package which lives at https://github.com/secure-systems-lab/go-securesystemslib/. The next step is the removal of this code from in-toto, so I'm submitting changes to dependent packages. :)

See: https://github.com/in-toto/in-toto-golang/pull/122

Implement Kubernetes CRD controller for Application resources.

• monitors the trigger from state changes of Application resources
• detect new manifest build and captures desired manifests from ArgoCD REST API
• sign the manifest
• record the detail of manifest build
  • the source files, git url, revision, commits for the manifest build
  • the command to produce the manifest for reproducibility.
• store the details as provenance records in in-toto format.

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• add SECURITY.md to the root directory for solving https://github.com/argoproj-labs/argocd-interlace/issues/20
• configure github action for lint

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• make installation step clearer
  • enable 1 yaml installation
  • enable setup with just 2 kubectl patch commands
  • improve the way to load configuration (config loading without pod restart)
  • remove unnecessary configuration
• update the corresponding docs

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• introduce interlace profile
• support OCI image to store signed manifest
• refactor some related codes

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• fix github action to solve an issue that go modules are not installed before lint action

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• add a CRD ApplicationProvenance for users to check provenance data easily
• add api and client codes for the CRD
• update README.md

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• update codes to store generated provenance data in Application annotation interlace.argocd.dev/provenance
• update README so that users can check result with the annotation instead of checking pod log.

Signed-off-by: Hirokuni-Kitahara1 [email protected]

• enable 1 command installation
  • create setup.sh to automate installation and setup
• make it easy for users to try examples
  • create sign-source-repo.sh to automate signing for source repo
  • add examples/signed-application.yaml to check application

Signed-off-by: [email protected] [email protected]

Capability to address issue: #15

• Added support for Helm based application via Helm sigstore verification and provenance generation
• Fixed documentation
• Reorganized packages

Implement a capability to support Helm based application

• verify Helm chart using helm sigstore before signature for manifest generated.
• attach a new signature to the generated application manifest only if the verification passed

The Argo maintainers recently agreed to require all Argoproj Labs project repositories to contain a SECURITY.md file which documents:

• Contact information for reporting security vulnerabilities
• Some minimal information about policies, practices, with possibly links to further documentation with more details

This will help direct vulnerability reporting to the right parties which can fix the issue.

You are free to use the following as examples/templates:

• Argoproj
• Workflows
• CD

Also, please note that in the future we are exploring a requirement that argoproj-labs projects perform a CII self-assessment to better inform its users about which security best practices are being followed.