Decorative background with stylized Fluent Bit logo
Background

Improving Fluent Bit Supply Chain Security with Cosign from OpenSSF

Written by Patrick Stephens in Fluent Biton January 19, 2023

Improving Fluent Bit Supply Chain Security with Cosign from OpenSSF

This is a quick follow-up to a previous post covering some of the improvements Calyptia is making as the maintainers of Fluent Bit. We have been signing the Fluent Bit official container images with Cosign for a while now, and recently we added it to the OpenSSF landscape to publicize this fact.

What is Cosign?

The OpenSSF (Open Source Software Security Foundation) provides lots of useful tooling to improve supply chain security for open source projects. One of these tools is the sigstore project which “allows developers to securely sign software artifacts” and the Cosign tooling specifically to sign OCI (container) images.

Signing the Fluent Bit container images with Cosign ensures that users can verify that the image they are using is the official one built and provided by the Fluent Bit project. Full details on verifying the signature can be found in the documentation.

This follows a similar approach to the GPG signing we (and package developers in general) have provided for native Linux packages (RPM/DEB) as well as the repository metadata itself which is required for various more secure platforms (e.g. FIPS compliance).

We encourage anyone using OSS to get projects added to the OpenSSF if they can contribute in that way.

Gitsign

Another useful project provided by the OpenSSF is the gitsign tooling. Gitsign simplifies signed commit handling and helps prevent some of the possible attacks with standard GPG keys. We would also encourage anyone using Git to adopt it.

You might also like

Fluent Bit

A practical guide for avoiding data loss and backpressure problems with Fluent Bit

Learn how to detect and avoid backpressure problems with Fluent Bit by balancing memory-based and filesystem-based buffering.

Continue reading
Chronosphere + Calyptia

Calyptia joins Chronosphere to build the future of observability

Today we are excited to announce that Calyptia is now part of Chronosphere. This will bring new benefits and opportunities to both Calyptia and Chronosphere customers while we continue to provide a vendor neutral approach to control observability data to any backend.

Continue reading
Processing Custom IIS server logs with Fluent Bit, Wasm, and Rust

Processing Custom IIS server logs with Fluent Bit, Wasm, and Rust

Create a custom processing script for IIS logs written in Rust and implemented using the Fluent Bit Wasm plugin.

Continue reading