Enforcing Supply Chain Security and Simplifying Compliance Audit... Gopinath Rebala & Bob Boule

Enforcing Supply Chain Security and Simplifying Compliance Audit for ArgoCD Deployments - Gopinath Rebala & Bob Boule, OpsMx

ArgoCD with GitOps provides an intuitive way to audit deployments with Git versioning. Increasing supply chain attacks require organizations to secure their supply chain and provide audits for compliance for entire application. End to End audit requires additional tracking for the source code for binary artifacts and tracking across environments. Argoproj labs projects like argocd-interlace provide a way to verify provenance of the deployments. This is a step in the right direction but falls short for most organizations. In this talk we discuss techniques using open source tooling like Guac, Sigstore, in-toto, Elastic, and Grafana to set up a secure supply chain workflow for attestation of entire delivery that can integrate into existing delivery pipelines. This talk will outline the Delivery Bill of Materials (DBOM) based on SBOM for the entire delivery process. We will present best practices and some of the gotchas we faced in implementing this system internally.