#Core Concepts

#Supply Chain Security

Supply chain security refers to protecting the integrity, security, and reliability of the software development lifecycle from development to deployment. Tekton Chains is designed to address supply chain security concerns by providing mechanisms to verify that artifacts produced by CI/CD pipelines have not been tampered with and can be trusted.

#Provenance

Provenance is metadata containing verifiable information about software artifacts, describing how they were built, what sources were used, and who built them. In Tekton Chains, provenance is cryptographically signed to ensure its integrity and authenticity.

There are two types of provenance in Tekton Chains:

• Task-level provenance: Captures details about a specific TaskRun execution
• Pipeline-level provenance: Captures the entire PipelineRun execution, including all child TaskRuns

#SLSA Framework

SLSA (Supply-chain Levels for Software Artifacts) is a security framework that provides a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. Tekton Chains supports multiple SLSA provenance formats:

• SLSA v0.2: Supported via slsa/v1 or in-toto formatters
• SLSA v1.0: Supported via slsa/v2alpha3 and slsa/v2alpha4 formatters

#Artifacts

Artifacts in Tekton Chains refer to the inputs and outputs of a build process:

• Input Artifacts: Resources that influence the build process, such as source code repositories and dependencies
• Output Artifacts: Resources produced by the build process, such as container images

#Type Hinting

Type hinting is a mechanism used by Tekton Chains to understand the input and output artifacts of a TaskRun or PipelineRun. Type hints are specially named parameters or results that follow specific formats:

• For Git inputs: CHAINS-GIT_URL and CHAINS-GIT_COMMIT
• For generic inputs: Parameters or results with the suffix ARTIFACT_INPUTS
• For image outputs: IMAGES or parameters/results with the suffix IMAGE_URL and IMAGE_DIGEST
• For generic outputs: Parameters or results with the suffix ARTIFACT_OUTPUTS

#Signing

Signing is the process of cryptographically signing provenance to ensure its integrity and authenticity. Tekton Chains supports multiple signing methods:

• x509: Uses a standard x509 certificate and private key
• Cosign: Uses Sigstore's Cosign tool for signing
• KMS: Uses cloud provider key management services
• Keyless: Uses ephemeral keys with Fulcio certificate authority

#Storage Backends

Storage backends are where Tekton Chains stores the generated provenance and signatures. Supported backends include:

• Tekton: Stores as annotations on the TaskRun/PipelineRun
• OCI: Stores in an OCI registry alongside container images
• GCS: Stores in Google Cloud Storage
• DocDB: Stores in a document database
• Grafeas: Stores in Grafeas/Container Analysis

#Controller

The Tekton Chains controller is the core component that observes TaskRun and PipelineRun executions, captures relevant information, and generates, signs, and stores provenance. It runs as a Kubernetes deployment in the tekton-pipelines namespace.