diff --git a/README.md b/README.md index 8421a2d..eb5b137 100644 --- a/README.md +++ b/README.md @@ -32,15 +32,19 @@ for Python and Go environments. We encourage you to gain a basic understanding of the [SCAI specification] before using the scai-generator CLI tools in this repo. +For a full demo of how to use the Go [scai-gen](scai-gen/) tools, read our +[KubeCon NA '23 doc]. + ## Disclaimer While the tools in this repo are conformant to the [in-toto Attestation Framework], they do not generate **authenticated** SCAI attestations. The example use cases in this repo are only provided for -illustrative purposes. +illustrative purposes, and should not be used in production. [in-toto Attestation Framework]: https://github.com/in-toto/attestation/tree/main/spec [intro doc]: docs/intro.md +[KubeCon NA '23]: docs/kubecon-na-23.md [usage doc]: docs/usage.md [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md [SCAI spec doc]: https://arxiv.org/pdf/2210.05813.pdf diff --git a/docs/images/scai-kubeconNA23-demo.png b/docs/images/scai-kubeconNA23-demo.png new file mode 100644 index 0000000..bf8a3f8 Binary files /dev/null and b/docs/images/scai-kubeconNA23-demo.png differ diff --git a/docs/kubecon-na-23.md b/docs/kubecon-na-23.md new file mode 100644 index 0000000..0a0a7e0 --- /dev/null +++ b/docs/kubecon-na-23.md @@ -0,0 +1,45 @@ +# KubeCon NA '23 Demo + +As part of the [in-toto Maintainer Track talk] at KubeCon NA '23, we present +a demo of the in-toto Attestation Framework, SCAI, and the in-toto Attestation +Verifier. + +## Demo Setup + +The overall flow implemented in the demo is as follows: + +in-toto demo flow + +This demo setup is implemented using the [scai-gen GitHub Actions] in a Docker +container build [demo workflow] for the Hyperledger Labs Private Data Objects +project. + +### Generated Attestations + +This demo generates the follow _authenticated_ in-toto attestations: + +* [SLSA Provenance] attestation for the container build +* [SCAI Attribute Report] attestation for additional integrity metadata about +the build + +These two attestations are signed using cosign OIDC-based keyless signing, +and uploaded to the public Rekor log. + +### Additional Tools + +This demo makes use of the following additional tools: + +* in-toto [attestation-verifier] +* [Anchore SBOM generator] GitHub Action +* [SLSA generic Provenance generator] GitHub Action +* [strace] Linux syscall tracer + +[Anchore SBOM generator]: https://github.com/anchore/sbom-action +[attestation-verifier]: https://github.com/in-toto/attestation-verifier +[demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/kubeconNA23-intoto-demo/.github/workflows/kubeconNA23-intoto-demo.yml +[in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx +[SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator +[SLSA Provenance]: https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md +[SCAI Attribute Report]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md +[scai-gen GitHub Actions]: https://github.com/in-toto/scai-demos/tree/main/.github/actions +[strace]: https://strace.io/