Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: How does runtime monitoring of a build fit into SLSA? #1132

Open
marcelamelara opened this issue Sep 17, 2024 · 0 comments
Open

Discussion: How does runtime monitoring of a build fit into SLSA? #1132

marcelamelara opened this issue Sep 17, 2024 · 0 comments
Labels
build-environment-track discussion

Comments

@marcelamelara
Copy link
Contributor

So far, we've been considering an L4 for the upcoming build environment track that covers hardware-attested runtime integrity checking (e.g., FS accesses). But in a private discussion with @paveliak today, we concluded that runtime monitoring may also include various other aspects about a build environment's behavior, such as network accesses, file system changes. Two points came up for us:

  1. This could be related to hermetic builds in that runtime monitoring could provide evidence for the hermeticity of a build. Should this be within the scope of a future hermetic builds requirement?

  2. Runtime security monitoring of builds is a larger problem space that could address other classes of threats, some of which, wouldn't be caught through hash-based integrity checking. Is there a new potential track here that focuses on the runtime behavior of a build system?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build-environment-track discussion
Projects
Issue triage
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marcelamelara