You Shall Not Pass! Unless You Are GUAC Verified…. - Parth Patel, Kusari & Dejan Bosanac, Red Hat

less than 1 minute read

Abstract

Having the most up-to-date information when you have to make a decision is always key. This statement is true for many real-world applications but is paramount for software supply chain security! To comply with the Executive Order 14028, we now have mountains of metadata from SBOMs, SLSA attestations, vulnerability information, and various in-toto ITE-6 attestations at our fingertips. With the introduction of projects like GUAC and Trustification, these can now be collected and analyzed successfully. Combining this information with policy engines, like OPA , we can create a policy that validates if a specific container or artifact is allowed to run in a cluster based on its security assessment. In this presentation, we will explain the concepts behind GUAC and Trustification projects. Next, we will demonstrate how OPA can be integrated with GUAC to create a policy that can answer the question: “Is the artifact allowed to be run in this environment?”.

Sched URL

Video