By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept
Resources
>
Blog
>
Article
A spot illustration of Github artifact attestation
May 17, 2024

Lowering the Barrier of Entry for Automated Governance — GitHub's New Artifact Attestation Feature

GitHub's new Artifact Attestations feature represents a significant advancement for streamlining Governance, Risk, and Compliance (GRC) processes. By integrating attestation creation directly into GitHub Actions, it simplifies the adoption of automated governance for teams and reduces the need for custom development.

Eric Chapman
Principal DevOps Consultant
Alex Detesan
Lead DevOps Engineer

Introduction

GitHub’s recent blog, Introducing Artifact Attestations–now in public beta, is great news for organizations on the path to automate their Governance, Risk, and Compliance (GRC).  Before we dive too deep into GitHub's new Artifact Attestations feature, let’s take a step back and do a quick recap of the domain it fits into — Automated Governance. Automated Governance goes by many aliases — Governance, Risk, and Compliance (GRC) engineering, policy as code, etc. — and while industry experts might differentiate between some of these elements, the desired outcome is the same: improving the security and compliance of artifacts created by software supply chains in an automated fashion.

At a high level, Automated Governance refers to the ability to provide the collection, attestation, policy evaluation, and enforcement of an organization’s GRC standards throughout the software development lifecycle. With that in mind, let's talk about why GitHub’s Artifact Attestations feature is a big deal and what challenges still exist when implementing Automated Governance.

GitHub Artifact Attestations: What Excites Us the Most

  • Integrating the attestation element of the GRC process in the same platform as SCM, CI/CD, and even your security validations reduces the need for platform engineering teams to host a Sigstore stack.
  • It significantly lowers the barrier of entry for product and platform teams using GitHub to adopt Automated Governance by getting a major component out of the box. All that is needed to get started is to add some YAML to your GitHub Actions workflow for attestation creation and leverage the GitHub CLI tool for the verification and policy evaluation step.
A diagram of how Github Artifact Attestation works
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
  • GitHub now provides three new GitHub Actions: actions/attest-build-provenance and actions/attest-sbom to support provenance and SBOM attestations, respectively, and a generic actions/attest that can be extended to other predicate types. Prior to this update, our customers would need to create their own build images with the Sigstore tooling and write their own pipeline automation to enable the collection, attestation, policy evaluation, and enforcement functionality.
  • The technology and approach is directly aligned with Liatrio’s POV on how organizations should implement Automated Governance. Last year, Liatrio created a GitHub reference implementation of an app and the accompanying trusted build actions and released a video guide as reference. GitHub’s supported workflow saves ~ 100 lines of code from the workflow steps. Organizations no longer need to implement their own provenance step nor the sbom step, instead teams can simply call GitHub’s Action(s) directly.
  • If that’s not enough reason to be excited, GitHub is also hosting a Sigstore instance for private repos, while public repos will leverage Sigstore’s public good instance.  This is one less production workload that needs to be run and maintained.
  • GitHub is now an approved root certificate authority. This means that customers and open source projects now have a path for signing artifacts without having to build out PKI or manage secrets, which could be leaked or lost.
  • SBOMs can now be easily associated with an artifact via GitHub’s attest-sbom action which will automatically wrap an SBOM it is provided with in an in-toto predicate, sign it using GitHub’s internal Sigstore, associate it with the artifact, and store it in GitHub’s attestation store.

All of these features are accelerators in adoption and rollout and help democratize Automated Governance. This showcases a significant investment in engineering time and underscores GitHub’s commitment to be the top-tier engineering platform of choice.

Challenges of Automated Governance

Although this is great progress, there are still many challenges for organizations to overcome when adopting Automated Governance. The biggest one we have encountered working with highly regulated enterprises is getting the GRC team aligned with the tech. From our experience, auditors and people in charge of risk are not easily excited about CLI tools and CI/CD pipelines; they need to see how GRC Engineering makes their job easier by creating a mechanism to easily summarize the risk profile of an artifact for production with the ability to drill down to the actual event occurrence.

Why Automated Governance Should be on your Radar

  • The use of open source projects is very prevalent in enterprises, and having unforgeable proof that an artifact is from a trusted source is imperative.
  • The Whitehouse’s Executive Order (EO 14028) is just the beginning of the need for a sharper focus on enhancing the nation's cybersecurity and is currently impacting government contractors. We predict that this will be a far more wide-sweeping requirement for commercial applications in the near term.
  • Lack of visibility of artifacts deployed in production can put your organization at risk. A narrow view into a limited subset of the software supply chain means the entire delivery system is at risk.
  • Traditional — often manual — governance processes act as a bottleneck and hinder fast iteration. Automated Governance can scale to keep up with modern software delivery practices without sacrificing security.

Conclusion

GitHub’s new Artifact Attestations feature marks a significant step forward for organizations seeking to automate their GRC processes. Integrating attestation capabilities into the GitHub platform lowers the barrier of entry for teams to adopt Automated Governance practices and reduces the need for custom solutions. The provision of out-of-the-box actions for provenance and SBOM checks, along with an extensible generic attest action that customers can leverage and promised support for new predicate types in the future makes it easy for teams to integrate attestations into their existing workflows. Additionally, GitHub’s role as an approved root certificate authority further enhances trust and security in the software supply chain.

Despite these advancements, challenges remain, particularly in aligning GRC teams with technical implementations. One of the advantages of running your own Sigstore stack is having access to all attestations, which can be plugged into visualization tools such as Grafana to draw insights. To support this, GitHub could make an organization’s attestations exportable or enable support for visualizations inside their platform. Ultimately, GitHub’s investment in Automated Governance underscores their commitment to empowering organizations with robust, scalable, and secure development practices, paving the way for a future where compliance and innovation can coexist seamlessly.


Latest From Our Blog

Enterprise
The Business Value of Observability: Why Enterprises Should Leverage the DORA Report

Enterprises are driving innovation and digital transformation with insights from the DORA report. Find out how in our latest blog.

Team Liatrio
6/25/2024
Automated Governance
Lowering the Barrier of Entry for Automated Governance — GitHub's New Artifact Attestation Feature

GitHub's new Artifact Attestations feature represents a significant advancement for streamlining Governance, Risk, and Compliance (GRC) processes. By integrating attestation creation directly into GitHub Actions, it simplifies the adoption of automated governance for teams and reduces the need for custom development.

Eric Chapman
Alex Detesan
5/17/2024
Security at Scale: Platform Engineering Enforces Security Best Practices

This blog looks at how bringing Platform Engineering to your security organization not only strengthens security posture, but also embeds security capabilities into IT and software delivery.

Robert Kelly
5/2/2024
IDPs and APIs: How Platform Engineering Supports Developer Experience (DevEx)

APIs and IDPs enable platforms to become accelerators for delivery, allowing teams to innovate quicker, with higher quality, and with greater satisfaction.

Robert Kelly
4/19/2024
Platform Engineering: Driving Developer Experience and Business Value

In this blog we take a high-level look at some of the drivers of business value for Platform Engineering and building enterprise delivery platforms.

Robert Kelly
4/5/2024
Enterprise
Killing DevOps: The Rise and Fall of a Transformational Giant

The majority of IT organizations have implemented DevOps principles and ways of working. Sounds amazing, right? Then why is DevOps dying? Read the blog to find out.

Robert Kelly
3/26/2024
Enterprise Modernization
What Is Platform Engineering? The Concept Behind the Term

What is platform engineering? It consists of removing obstacles between developers and production. Learn more about it in this post.

Robert Kelly
3/22/2024
DevEx
Navigating Your Path to the Ideal IDP: Backstage vs. Getport.io

This blog explores the vital role of internal development portals (IDPs) like Backstage and Getport.io in enhancing development workflows.

Jon Rudy
3/7/2024
Github
GitHub API — Automate Everything!

This blog explores the diverse capabilities of the GitHub API beyond version control, detailing how it can enhance CICD environments. From cleanup tasks and data funneling to enforcing standardization and enabling self-service jobs, the API's versatility is showcased.

Devin Leaman
2/18/2024
DevOps Tools
ServiceNow is NOT a Developer Platform (iDP)

Exploring the limitations of ServiceNow in developer environments, this blog contrasts its rigid, ticket-based system with more agile developer portals, emphasizing the need for collaboration, rapid iteration, and developer autonomy in software development.

Mitchell Phillips
2/14/2024
Read More on Our Blog
Ready to get started?

Contact Us

We'd love to learn more about your project and determine how we can help out.