# Tekton S3C roadmap brainstorm 🧠 * [Providing SLSA capabilities to users](#providing-slsa-capabilities-to-users) * [Compliance of Tekton itself](#slsa-compliance-of-tekton-itself) * [Security and the Tekton Catalog](#security-and-the-tekton-catalog) * [SBOMs](https://github.com/tektoncd/chains/issues/277) * Open SSF Badge * [Credential management](#credential-management) * CDF funded security review ## Providing SLSA capabilities to users * Expanding Tekton Chains type hinting support: * [TEP-0086 how results are emitted](https://github.com/tektoncd/community/pull/521/files) * Current result size greatly limits what we can create provenance for (e.g. an array of image digests) * Structured results: * [TEP-0076 array results](https://github.com/tektoncd/community/pull/477) * [TEP-0075 object params and results](https://github.com/tektoncd/community/pull/479) * [Adding support for more artifact types](https://github.com/tektoncd/chains/issues/124) * Addressing the lack of abstractions in Tekton for artifacts of different kinds - how do we provide that to improve observability of tekton pipelines without losing task reusability (like it was for pipeline resources). * SLSA L3: * [TEP-0089 non-falsifiability and SPIRE](https://github.com/tektoncd/community/blob/main/teps/0089-nonfalsifiable-provenance-support.md) * [isolated](https://slsa.dev/spec/v0.1/requirements#isolated) * Enforcing at execution time? * Tampering with PVCs by other pods * Provide secure workspace types? * [Build as code](https://slsa.dev/spec/v0.1/requirements#build-as-code) and Tekton bundles * SLSA L4: * [TEP-0025 Hermetic execution](https://github.com/tektoncd/community/blob/main/teps/0025-hermekton.md) * hermetic execution, Hermekton and the runtime efficiency TEP, Hermetic Builds * [complete dependencies](https://slsa.dev/spec/v0.1/requirements#dependencies-complete) * [Parameterless execution](https://slsa.dev/spec/v0.1/requirements#parameterless) * SLSA vs. Tekton mismatches: * Most logic in Tekton does not execute in the "trusted control plane" * [Trusted tekton types](#trusted-tekton-types) * TaskRuns vs PipelineRuns (for complete provenance, including source control) * [TEP-0084](https://github.com/tektoncd/community/blob/main/teps/0084-endtoend-provenance-collection.md) * How to achieve end to end attestations. Chains can only observe Tekton TaskRuns. What about pipelineruns and events received by tekton triggers? ## Compliance of Tekton itself * All project releases at SLSA L2 * [signing all releases](https://github.com/tektoncd/plumbing/issues/884) * Controlling / auditing / monitoring who has access to what Tekton infrastructure * [Transfer GCP projects to be owned entirely by CDF and Tekton](https://github.com/tektoncd/plumbing/issues/865) * [TODO, including security improvements](https://docs.google.com/document/d/1h-Q9NXJxv9b6qAJM4OTKDpDMwXZz8c-quCLsYvRyIu0/edit#) * [Dogfooding roadmap](https://github.com/tektoncd/plumbing/issues/912) * Regular scanning and vulnerability patching for Tekton projects / artifacts * LTS policy for Tekton projects ## Security and the Tekton Catalog * [TEP-0079 Catalog support tiers](https://github.com/tektoncd/community/blob/main/teps/0079-tekton-catalog-support-tiers.md) * [Trusted types](#trusted-tekton-types) in the catalog ### Trusted Tekton Types * Verifying/trusting remote resources: * [TEP-0091 In-toto Layout Creation via Tekton CLI](https://github.com/tektoncd/community/pull/534) * [TEP-0091: Verified Remote Resources](https://github.com/tektoncd/community/pull/537) * [TEP-0093 tkn cli sign verify](https://github.com/tektoncd/community/pull/545) * Signing of tekton resources (and how it relates with the remote resources TEP).Signing of tekton results (including increasing results size limit). ## Credential management * A stronger credentials story for Tekton - many users struggle with using private git repos and container registries, we can lead to bad practices for credentials mgmt. How do we make it easy for our users to manage the credentials?