Improving Fluent Bit Supply Chain Security with Cosign from OpenSSF
This is a quick follow-up to a previous post covering some of the improvements Calyptia is making as the maintainers of Fluent Bit. We have been signing the Fluent Bit official container images with Cosign for a while now, and recently we added it to the OpenSSF landscape to publicize this fact.
What is Cosign?
The OpenSSF (Open Source Software Security Foundation) provides lots of useful tooling to improve supply chain security for open source projects. One of these tools is the sigstore project which “allows developers to securely sign software artifacts” and the Cosign tooling specifically to sign OCI (container) images.
Signing the Fluent Bit container images with Cosign ensures that users can verify that the image they are using is the official one built and provided by the Fluent Bit project. Full details on verifying the signature can be found in the documentation.
This follows a similar approach to the GPG signing we (and package developers in general) have provided for native Linux packages (RPM/DEB) as well as the repository metadata itself which is required for various more secure platforms (e.g. FIPS compliance).
We encourage anyone using OSS to get projects added to the OpenSSF if they can contribute in that way.
Another useful project provided by the OpenSSF is the gitsign tooling. Gitsign simplifies signed commit handling and helps prevent some of the possible attacks with standard GPG keys. We would also encourage anyone using Git to adopt it.
You might also like
Enforcing structured logging across applications using Fluent Bit
In this article, we will leverage Fluent Bit’s log processing capabilities to ensure consistent structured logging across applications using two different methods. In addition, we demonstrate how to send alerts to Slack when the logs are not properly formatted.
Fluent Bit: Alerting via Slack when the log destination is unreachable
Learn how to use Fluent Bit to identify irregularities in the data pipeline as they occur and send alerts to Slack