It has been a big month for supply chain security! GitHub recently announced the public beta for npm package provenance. This adds new functionality to npmjs.com and the npm CLI that allows package maintainers to generate and upload SLSA Build Level 2 provenance along with their packages. Integration with Sigstore enables verification of signature and certificate metadata so users know that the package came from the expected source repository.
The SLSA Tooling SIG has been collaborating with GitHub to give npm package authors more options to further harden builds. As part of this collaboration, we are announcing the beta of the SLSA3 Node.js builder for GitHub Actions. The Node.js builder provides a GitHub Actions reusable workflow that can be called to perform the build, generate SLSA Build L3 compliant provenance, and publish it to the npm registry along with the package.
Given that Node.js is one of the largest open source ecosystems, we believe these announcements go a long way towards improving supply chain security for open source overall. As packages adopt SLSA provenance, we hope that npm can serve as a model for more open source ecosystems in the future.
Major Steps in Securing the OSS Supply Chain
GitHub’s first-class support for package provenance in npm is a major step forward in Open Source supply chain security for a number of reasons.
First, it provides a way for package maintainers to generate provenance for their packages with minimal changes to their development workflows. This allows busy Open Source developers to get large supply chain security gains with only a small time investment.
Second, it provides a natural way to host provenance along with the package itself. This takes advantage of existing package tooling to transparently distribute provenance to users so it can be verified easily.
Third, verification can be incorporated into the user’s normal workflow via the
npm audit signatures
command. Provenance adds the most value if it can be
verified before install. Support for verification in the npm CLI makes this much
easier.
With this new support the provenance generated by npm projects achieves SLSA Build Level 2. SLSA Build L2 gives projects a huge boost to software supply chain integrity of npm packages. It prevents tampering after the build with digital signatures, reduces the attack surface to one that can be more easily audited and hardened, and allows for easier migration to more hardened SLSA Build levels in the future.
Going Further with SLSA on GitHub Actions
SLSA Build L3 improves upon SLSA Build L2 with additional requirements. These include further hardening the build process by preventing build runs from influencing one another, and preventing secret material used to sign the provenance from being accessible to the build steps. The benefits of the new requirements include preventing tampering during the build, and reducing the impact of compromised registry credentials.
These advantages are important because package installs and builds can run untrusted and potentially compromised code from dependencies and other sources. This in turn could allow attackers to leak private keys, modify provenance or generate provenance for other artifacts. As we have seen in the past, open source packages are not immune to these targeted attacks.
The Node.js builder, built in collaboration with GitHub, does this by executing the build, generation, and signing of provenance in separate jobs separated by a virtual machine (VM) security boundary provided by GitHub-hosted runners.
Using the Node.js builder is as easy as making a GitHub Actions reusable workflow call. Most packages can slot this into their workflows fairly seamlessly.
jobs:
build:
permissions:
id-token: write # For signing
contents: read # For repo checkout.
actions: read # For getting workflow run info.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v1.6.0
with:
run-scripts: "ci, build"
Learn more about Node.js builder in the documentation.
Exploring and monitoring the npm package security landscape
In addition to the direct security benefits provided by SLSA, provenance provides more information on packages, improving their trustworthiness. The SLSA Tooling SIG has collaborated with Google Open Source Insights (deps.dev) to support exploration of provenance metadata for npm packages. This new feature will support both npm package provenance and provenance generated by the SLSA3 Node.js builder and can be used in conjunction with the npm official registry.
Explore some packages that generate provenance today:
The value of cooperation
Support for SLSA provenance in the npm public registry is a great step forward for improving the supply chain security of open-source projects. As we move forward, improved support for supply chain security and cooperation with programming language ecosystems is vital and we are looking forward to working with more ecosystems in the future.
Please try out the new Node.js builder and let us know what you think by opening an issue on GitHub. You can also ask a question in the #slsa-tooling channel in the OpenSSF community slack. We would love to hear from you! You can follow along with the development of the Node.js builder’s GA release via our development milestone.
See you soon!