Back to Details

manage-supply-chain

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Manage Supply Chain

管理供应链

Configure SBOM generation, artifact signing, supply chain policy enforcement, and SLSA provenance tracking in Harness SSCA.
在Harness SSCA中配置SBOM生成、工件签名、供应链策略执行以及SLSA溯源跟踪。

Instructions

操作说明

Step 1: Establish Scope

步骤1:确定范围

Confirm the user's org, project, service, and build tool.
Call MCP tool: harness_list
Parameters:
  resource_type: "project"
  org_id: "<organization>"
确认用户的组织、项目、服务以及构建工具。
Call MCP tool: harness_list
Parameters:
  resource_type: "project"
  org_id: "<organization>"

Step 2: Identify the SSCA Task

步骤2:确定SSCA任务类型

Determine which workflow the user needs:
  1. SBOM Generation -- Automated SBOM creation on every build with signing and attestation
  2. Supply Chain Policy Enforcement -- OPA policies for artifact provenance, signing, and compliance
明确用户所需的工作流:
  1. SBOM生成 -- 每次构建时自动创建SBOM,并附带签名与认证
  2. 供应链策略执行 -- 针对工件溯源、签名及合规性的OPA策略

Step 3: Configure SBOM Generation

步骤3:配置SBOM生成

Gather from the user:
  • Service name, build tool, and language
  • Pipeline to attach SBOM generation to
  • SBOM format: CycloneDX 1.5 (JSON) or SPDX 2.3 (JSON)
  • SBOM scope: direct dependencies, transitive, or full (OS + language + transitive)
  • Signing key provider: Cosign keyless (Sigstore), Cosign with KMS, AWS KMS, GCP KMS
Configure SBOM generation in the CI pipeline:
  • Trigger on every successful build or container push
  • Generate SBOM in the selected format
  • Sign SBOM with the configured key provider
  • Attach as OCI artifact alongside the container image
  • Require valid signature verification before deployment to protected environments
Supply Chain Risk Analysis:
  • Flag dependencies with known CVEs above CVSS threshold (default 7.0)
  • Detect license conflicts (e.g., GPL-3.0, AGPL-3.0)
  • Flag dependencies outdated by more than N months
  • Flag dependencies from untrusted registries
Compliance Mapping:
  • Target SLSA level (Level 1, 2, or 3)
  • Map to compliance frameworks: NIST SSDF, EO 14028, SOC2
向用户收集以下信息:
  • 服务名称、构建工具及开发语言
  • 需关联SBOM生成的流水线
  • SBOM格式:CycloneDX 1.5(JSON)或SPDX 2.3(JSON)
  • SBOM范围:直接依赖、传递依赖或完整范围(操作系统+开发语言+传递依赖)
  • 签名密钥提供商:Cosign无密钥(Sigstore)、带KMS的Cosign、AWS KMS、GCP KMS
在CI流水线中配置SBOM生成:
  • 每次构建成功或容器推送时触发
  • 生成所选格式的SBOM
  • 使用配置的密钥提供商对SBOM进行签名
  • 作为OCI工件附加到容器镜像旁
  • 部署到受保护环境前需验证签名有效性
供应链风险分析:
  • 标记CVSS评分高于阈值(默认7.0)的已知漏洞依赖项
  • 检测许可证冲突(如GPL-3.0、AGPL-3.0)
  • 标记过期超过N个月的依赖项
  • 标记来自不可信镜像仓库的依赖项
合规映射:
  • 目标SLSA级别(Level 1、2或3)
  • 映射至合规框架:NIST SSDF、EO 14028、SOC2

Step 4: Configure Supply Chain Policy Enforcement

步骤4:配置供应链策略执行

Gather enforcement points from the user (build, push, deploy, or all stages).
Define OPA policies:
  1. Artifact Provenance -- Require all container images to have valid Cosign signatures
  2. SLSA Level -- Enforce minimum SLSA level for production deployments
  3. SBOM Requirements -- Block deployment if SBOM is missing or unsigned
  4. Dependency Restrictions -- Block artifacts with banned licenses or known malicious packages
  5. Registry Allowlist -- Only allow artifacts from approved registries
Call MCP tool: harness_create
Parameters:
  resource_type: "policy"
  org_id: "<organization>"
  project_id: "<project>"
  body:
    name: "supply-chain-enforcement"
    identifier: "supply_chain_enforcement"
    rego: |
      package harness.supply_chain

      deny[msg] {
        not input.artifact.signed
        msg := "Artifact must be signed with Cosign before deployment"
      }

      deny[msg] {
        not input.artifact.sbom_attached
        msg := "SBOM must be generated and attached to artifact"
      }
向用户收集执行节点(构建、推送、部署或所有阶段)。
定义OPA策略:
  1. 工件溯源 -- 要求所有容器镜像具备有效的Cosign签名
  2. SLSA级别 -- 强制生产部署达到最低SLSA级别
  3. SBOM要求 -- 若缺少SBOM或SBOM未签名,则阻止部署
  4. 依赖限制 -- 阻止包含禁用许可证或已知恶意包的工件
  5. 镜像仓库白名单 -- 仅允许来自已批准镜像仓库的工件
Call MCP tool: harness_create
Parameters:
  resource_type: "policy"
  org_id: "<organization>"
  project_id: "<project>"
  body:
    name: "supply-chain-enforcement"
    identifier: "supply_chain_enforcement"
    rego: |
      package harness.supply_chain

      deny[msg] {
        not input.artifact.signed
        msg := "Artifact must be signed with Cosign before deployment"
      }

      deny[msg] {
        not input.artifact.sbom_attached
        msg := "SBOM must be generated and attached to artifact"
      }

Step 5: Set Up SBOM Storage and Dashboards

步骤5:设置SBOM存储与仪表盘

Configure SBOM storage:
  • Store in Harness AR alongside the image, or in S3/GCS/Dependency-Track
  • Set retention period (default 365 days)
Enable the SSCA portal dashboard for:
  • Real-time component inventory across all services
  • Vulnerability trends over time
  • License compliance status
  • SLSA level tracking per service
配置SBOM存储:
  • 存储在Harness AR中(与镜像一起),或S3/GCS/Dependency-Track中
  • 设置保留期限(默认365天)
启用SSCA门户仪表盘以实现:
  • 所有服务的实时组件清单
  • 漏洞趋势跟踪
  • 许可证合规状态
  • 各服务的SLSA级别跟踪

Examples

示例

  • "Generate SBOMs for our payment-service builds" -- Configure CycloneDX SBOM generation with Cosign signing in the CI pipeline
  • "Enforce artifact signing for production deployments" -- Create OPA policy requiring valid Cosign signatures
  • "Set up SLSA Level 2 compliance tracking" -- Configure provenance tracking and SBOM attestation
  • "Block deployments with GPL-3.0 dependencies" -- Create supply chain policy with license restrictions
  • "Track our software supply chain risk" -- Enable SSCA dashboard with CVE, license, and staleness analysis
  • "为我们的payment-service构建生成SBOM" -- 在CI流水线中配置带Cosign签名的CycloneDX SBOM生成
  • "强制生产部署的工件签名" -- 创建要求有效Cosign签名的OPA策略
  • "设置SLSA Level 2合规跟踪" -- 配置溯源跟踪与SBOM认证
  • "阻止包含GPL-3.0依赖项的部署" -- 创建带许可证限制的供应链策略
  • "跟踪我们的软件供应链风险" -- 启用包含CVE、许可证及陈旧性分析的SSCA仪表盘

Performance Notes

性能说明

  • SBOM generation adds 10-30 seconds to the build depending on dependency count -- acceptable for most pipelines.
  • Cosign keyless signing (Sigstore) is simpler to set up than KMS-backed keys but requires internet access.
  • SLSA Level 3 requires hermetic builds -- this may require significant pipeline restructuring.
  • SBOM storage costs are minimal (JSON files) but retention policies prevent unbounded growth.
  • SBOM生成会为构建增加10-30秒耗时(取决于依赖项数量)-- 对大多数流水线而言可接受。
  • Cosign无密钥签名(Sigstore)比基于KMS的密钥更易设置,但需要网络访问。
  • SLSA Level 3要求封闭构建 -- 这可能需要对流水线进行重大调整。
  • SBOM存储成本极低(JSON文件),但保留策略可防止存储量无限增长。

Troubleshooting

故障排查

SBOM Generation Failing

SBOM生成失败

  • Verify the build tool is supported by the SBOM generator (Syft, Trivy, cdxgen)
  • Check that the container image is accessible at the point SBOM generation runs
  • For monorepos, ensure the SBOM scope is set to the correct subdirectory
  • 验证SBOM生成器(Syft、Trivy、cdxgen)支持当前构建工具
  • 检查SBOM生成运行时容器镜像是否可访问
  • 对于单体仓库,确保SBOM范围设置为正确的子目录

Cosign Signing Errors

Cosign签名错误

  • For keyless: verify the OIDC provider (Sigstore/Fulcio) is reachable
  • For KMS: verify the service account has signing permissions on the key
  • Check that the Cosign binary version is compatible with the image format
  • 无密钥模式:验证OIDC提供商(Sigstore/Fulcio)是否可访问
  • KMS模式:验证服务账号对密钥具备签名权限
  • 检查Cosign二进制版本与镜像格式是否兼容

Policy Blocking Deployments

策略阻止部署

  • Check which specific policy rule is triggering the deny
  • Use the exemption workflow for known false positives
  • Verify the policy is evaluating the correct input fields from the pipeline
  • 检查触发拒绝的具体策略规则
  • 对已知误报使用豁免流程
  • 验证策略是否正在评估流水线中的正确输入字段