Securing Bazel's Module Registry

The blog post discusses the challenges and vulnerabilities in supply-chain security within the open-source software ecosystem, specifically addressing a recent incident involving a vulnerability in tj-actions that exposed CI pipeline tokens, potentially allowing project hijacking. It highlights the precarious situation where a small number of individuals, often hobbyists, maintain critical security for enterprise users, drawing parallels to Bazel rulesets which face similar staffing issues. Google is transferring repositories to the Linux Foundation without providing additional maintenance resources, raising concerns about the security of Bazel rulesets, which could be compromised by malicious release artifacts. The post emphasizes the importance of verifying the provenance of release artifacts through attestations, as demonstrated by a framework like SLSA, which provides cryptographic proof that build artifacts are constructed securely. GitHub Actions are used to generate attestations that verify the integrity of release artifacts, and these are built into the BCR presubmit process to ensure trustworthiness. The blog also notes that the improvements made to the Publish to BCR helper will allow for broader adoption of secure practices across various Bazel ruleset releases, with the Bazel client expected to support transparent verification of modules in the future.