Demo: How Codefresh and Its Argo Core Improve Security
Supply-chain Levels for Software Artifacts — or SLSA, to its friends — is a security framework introduced by Google in 2021. Despite its benefits, offering incremental guidelines for creating secure builds, many developers aren’t even aware of it. But the latest version of Argo, the continuous delivery tool and GitOps enabler, is compliant with Level Three of the four-level SLSA framework.
Level Three “basically means that now anybody that’s deployed Argo can check the verification on these images and make sure that they were signed by the project,” said Dan Garfield, co-founder and chief open source officer of Codefresh. “They were created in our [continuous integration] system and they weren’t manipulated in any way.”
In this episode of The New Stack Demos, Garfield showed Alex Williams, TNS founder and publisher, features of Codefresh’s enterprise platform, which is built on Argo.
A problem that the latest from Codefresh seeks to solve, Garfield said, is that it’s hard for developers to know the current status of their code once it’s deployed. “Codefresh solves that by surfacing all that information right away, so that you always know exactly where everything came from, what changes have actually made it into production.”
In short, he summarized, “it allows developers to follow their code where it goes, and it allows operations to follow the code where it came from.”
Check out the full video demo to see how it all works.