[FEATURE] Immutable Build Strategies #2083
Description
Is there an existing feature request for this?
- I have searched the existing feature requests
Is your feature request related to a problem or use-case? Please describe.
To meet SLSA Build Level 3, the build platform must meet the following "isolated" requirement:
The build platform ensured that the build steps ran in an isolated environment, free of unintended external influence. In other words, any external influence on the build was specifically requested by the build itself. This MUST hold true even between builds within the same tenant project.
Shipwright's BuildStrategy implementation does not currently meet this criteria, as the build steps defined in a build strategy are stored as a mutable object on Kubernetes. An attacker who obtains permission to edit a BuildStrategy or ClusterBuildStrategy can externally influence the behavior of a build outside of a user's intent.
Describe the solution that you would like.
Provide a mechanisms for Shipwright to build containers with an immutable build strategy whose contents are obtained from a content-addressable location. Examples include:
- A file stored in a git repository, at a particular revision/sha
- A file within an OCI artifact, stored in a container registry and pullable by digest
Describe alternatives you have considered.
Allow build strategies to be derived from Tekton tasks/pipelines, which can be sourced from a Git repository or OCI artifact: #1578
Anything else?
SLSA v1.2 build track requirements: https://slsa.dev/spec/v1.2/build-requirements#follow-a-consistent-build-process