The Open Source Security Foundation stewards a Supply Chain Integrity Working Group. Using the directives published by this group, there is a prototype implementation of a secure pipeline known as FRSCA (Factory for Repeatable Secure Creation of Artifacts).

It follows the architecture laid out by the Cloud Native Computing Foundation (CNCF)'s Secure Software Factory Reference Architecture, as outlined in their Software Supply Chain Best Practices White Paper.

In this talk, I would like to demo a slight variation of FRSCA to use GitOps principles and corresponding GitOps tooling. The goal of my presentation is to demonstrate the viability of FRSCA/Supply Chain Security principles in a GitOps realm.

Three key principles are found at the core of FRSCA. These are (a) Simple and fast (b) SLSA ready (c) Secure by default. I firmly believe that these can be realized using GitOps operators and tooling. This will further the boundaries of the CNCF example implementation by including a GitOps specific implementation of the same reference architecture.