.png)
Zero-trust architecture (ZTA) operates on the principle of "never trust, always verify," requiring continuous authentication and authorization for every access request. Ephemeral, one-time tokens play a crucial role by reducing the attack surface and mitigating credential theft risks.
Unlike long-lived tokens, ephemeral tokens have a short lifespan and are valid for a single use, making them resistant to replay attacks and token leakage. They enforce least privilege by ensuring that access is granted only for the specific request and timeframe needed.
In the context of Software supply chain security, this pattern is implemented in most modern CI/CD systems like GitHub or GitLab. These platforms offer a mechanism to both generate ephemeral tokens and authenticate their validity so they can be used by third parties to, for example, sign and store a built container image, access a K8s cluster, etc.
And now, you can also use those tokens to perform attestations with Chainloop from GitLab.
It’s a two-step process.
- Enroll Your Gitlab repositories to Chainloop.
- Send Gitlab tokens during the attestation process.
1 - Enroll Your Gitlab repositories to Chainloop
First, you'll need to onboard your GitLab repository into the Chainloop platform to ensure you own the repository from which the attestation is coming.
2 - Use GitLab token during the attestation process
You are now ready to leverage GitLab's OIDC tokens for your attestations. The requirement is to create an ID token that has the chainloop audience. The audience is an important property that allows Chainloop to know that this token was crafted for this purpose.
If you run the pipeline, the attestation process should finish as expected.
The resulting signed attestation is no different from any other, and that’s the feature: You just performed an attestation from GitLab without the need to provide any custom API token.
In conclusion, leveraging ephemeral tokens can significantly enhance software attestations in a zero-trust environment. By utilizing GitLab's OIDC tokens for attestations, you can streamline the process, reduce the attack surface, and improve the security of your software supply chain.
