The second half of software supply chain security on GitHub

The major cybersecurity attack against the U.S. federal government in late 2020 heightened awareness around software supply chain security, leading to significant responses from both the U.S. government and private industry. The White House's Executive Orders and the National Cybersecurity Strategy Implementation Plan emphasize improving cybersecurity supply chain risk management, impacting all who produce software, not just those selling to the government. The Open Source Security Foundation's Supply-chain Levels for Software Artifacts (SLSA) framework provides a user-friendly approach to understanding and enhancing supply chain security, particularly through build integrity and code signing. GitHub has developed tools to facilitate secure software development, such as artifact attestations, which simplify the process of signing and verifying builds using workload identity, avoiding the pitfalls of managing private keys. This approach supports a gradual, scalable improvement in supply chain security practices, encouraging organizations to start with basic measures like build signing, with the potential to advance to more complex security features as needed.