Google and GitHub have collaborated on a method to help prevent software supply chain hacks like the ones that hit SolarWinds and Codecov.
In the SolarWinds assault, hackers took control of a build server and introduced malicious artefacts into a build platform, according to Google’s open source security team. Threat actors evaded trusted builders to upload their artefacts in the Codecov attack. Google and GitHub have proposed a new way for producing “non-forgeable provenance,” as they call it.
For isolation, the solution uses GitHub Actions workflows, and for authentication, it uses Sigstore signing tools. The purpose is to assist projects that use GitHub runners in achieving a high SLSA score.