manage-supply-chain

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Manage Supply Chain

管理供应链

Configure SBOM generation, artifact signing, supply chain policy enforcement, and SLSA provenance tracking in Harness SSCA.

在Harness SSCA中配置SBOM生成、工件签名、供应链策略执行以及SLSA溯源跟踪。

Instructions

操作说明

Step 1: Establish Scope

步骤1：确定范围

Confirm the user's org, project, service, and build tool.

Call MCP tool: harness_list
Parameters:
  resource_type: "project"
  org_id: "<organization>"

确认用户的组织、项目、服务以及构建工具。

Call MCP tool: harness_list
Parameters:
  resource_type: "project"
  org_id: "<organization>"

Step 2: Identify the SSCA Task

步骤2：确定SSCA任务类型

Determine which workflow the user needs:

SBOM Generation -- Automated SBOM creation on every build with signing and attestation
Supply Chain Policy Enforcement -- OPA policies for artifact provenance, signing, and compliance

明确用户所需的工作流：

SBOM生成 -- 每次构建时自动创建SBOM，并附带签名与认证
供应链策略执行 -- 针对工件溯源、签名及合规性的OPA策略

Step 3: Configure SBOM Generation

步骤3：配置SBOM生成

Gather from the user:

Service name, build tool, and language
Pipeline to attach SBOM generation to
SBOM format: CycloneDX 1.5 (JSON) or SPDX 2.3 (JSON)
SBOM scope: direct dependencies, transitive, or full (OS + language + transitive)
Signing key provider: Cosign keyless (Sigstore), Cosign with KMS, AWS KMS, GCP KMS

Configure SBOM generation in the CI pipeline:

Trigger on every successful build or container push
Generate SBOM in the selected format
Sign SBOM with the configured key provider
Attach as OCI artifact alongside the container image
Require valid signature verification before deployment to protected environments

Supply Chain Risk Analysis:

Flag dependencies with known CVEs above CVSS threshold (default 7.0)
Detect license conflicts (e.g., GPL-3.0, AGPL-3.0)
Flag dependencies outdated by more than N months
Flag dependencies from untrusted registries

Compliance Mapping:

Target SLSA level (Level 1, 2, or 3)
Map to compliance frameworks: NIST SSDF, EO 14028, SOC2

向用户收集以下信息：

服务名称、构建工具及开发语言
需关联SBOM生成的流水线
SBOM格式：CycloneDX 1.5（JSON）或SPDX 2.3（JSON）
SBOM范围：直接依赖、传递依赖或完整范围（操作系统+开发语言+传递依赖）
签名密钥提供商：Cosign无密钥（Sigstore）、带KMS的Cosign、AWS KMS、GCP KMS

在CI流水线中配置SBOM生成：

每次构建成功或容器推送时触发
生成所选格式的SBOM
使用配置的密钥提供商对SBOM进行签名
作为OCI工件附加到容器镜像旁
部署到受保护环境前需验证签名有效性

供应链风险分析：

标记CVSS评分高于阈值（默认7.0）的已知漏洞依赖项
检测许可证冲突（如GPL-3.0、AGPL-3.0）
标记过期超过N个月的依赖项
标记来自不可信镜像仓库的依赖项

合规映射：

目标SLSA级别（Level 1、2或3）
映射至合规框架：NIST SSDF、EO 14028、SOC2

Step 4: Configure Supply Chain Policy Enforcement

步骤4：配置供应链策略执行

Gather enforcement points from the user (build, push, deploy, or all stages).

Define OPA policies:

Artifact Provenance -- Require all container images to have valid Cosign signatures
SLSA Level -- Enforce minimum SLSA level for production deployments
SBOM Requirements -- Block deployment if SBOM is missing or unsigned
Dependency Restrictions -- Block artifacts with banned licenses or known malicious packages
Registry Allowlist -- Only allow artifacts from approved registries

Call MCP tool: harness_create
Parameters:
  resource_type: "policy"
  org_id: "<organization>"
  project_id: "<project>"
  body:
    name: "supply-chain-enforcement"
    identifier: "supply_chain_enforcement"
    rego: |
      package harness.supply_chain

      deny[msg] {
        not input.artifact.signed
        msg := "Artifact must be signed with Cosign before deployment"
      }

      deny[msg] {
        not input.artifact.sbom_attached
        msg := "SBOM must be generated and attached to artifact"
      }

向用户收集执行节点（构建、推送、部署或所有阶段）。

定义OPA策略：

工件溯源 -- 要求所有容器镜像具备有效的Cosign签名
SLSA级别 -- 强制生产部署达到最低SLSA级别
SBOM要求 -- 若缺少SBOM或SBOM未签名，则阻止部署
依赖限制 -- 阻止包含禁用许可证或已知恶意包的工件
镜像仓库白名单 -- 仅允许来自已批准镜像仓库的工件

Call MCP tool: harness_create
Parameters:
  resource_type: "policy"
  org_id: "<organization>"
  project_id: "<project>"
  body:
    name: "supply-chain-enforcement"
    identifier: "supply_chain_enforcement"
    rego: |
      package harness.supply_chain

      deny[msg] {
        not input.artifact.signed
        msg := "Artifact must be signed with Cosign before deployment"
      }

      deny[msg] {
        not input.artifact.sbom_attached
        msg := "SBOM must be generated and attached to artifact"
      }

Step 5: Set Up SBOM Storage and Dashboards

步骤5：设置SBOM存储与仪表盘

Configure SBOM storage:

Store in Harness AR alongside the image, or in S3/GCS/Dependency-Track
Set retention period (default 365 days)

Enable the SSCA portal dashboard for:

Real-time component inventory across all services
Vulnerability trends over time
License compliance status
SLSA level tracking per service

配置SBOM存储：

存储在Harness AR中（与镜像一起），或S3/GCS/Dependency-Track中
设置保留期限（默认365天）

启用SSCA门户仪表盘以实现：

所有服务的实时组件清单
漏洞趋势跟踪
许可证合规状态
各服务的SLSA级别跟踪

Examples

示例

"Generate SBOMs for our payment-service builds" -- Configure CycloneDX SBOM generation with Cosign signing in the CI pipeline
"Enforce artifact signing for production deployments" -- Create OPA policy requiring valid Cosign signatures
"Set up SLSA Level 2 compliance tracking" -- Configure provenance tracking and SBOM attestation
"Block deployments with GPL-3.0 dependencies" -- Create supply chain policy with license restrictions
"Track our software supply chain risk" -- Enable SSCA dashboard with CVE, license, and staleness analysis

"为我们的payment-service构建生成SBOM" -- 在CI流水线中配置带Cosign签名的CycloneDX SBOM生成
"强制生产部署的工件签名" -- 创建要求有效Cosign签名的OPA策略
"设置SLSA Level 2合规跟踪" -- 配置溯源跟踪与SBOM认证
"阻止包含GPL-3.0依赖项的部署" -- 创建带许可证限制的供应链策略
"跟踪我们的软件供应链风险" -- 启用包含CVE、许可证及陈旧性分析的SSCA仪表盘

Performance Notes

性能说明

SBOM generation adds 10-30 seconds to the build depending on dependency count -- acceptable for most pipelines.
Cosign keyless signing (Sigstore) is simpler to set up than KMS-backed keys but requires internet access.
SLSA Level 3 requires hermetic builds -- this may require significant pipeline restructuring.
SBOM storage costs are minimal (JSON files) but retention policies prevent unbounded growth.

SBOM生成会为构建增加10-30秒耗时（取决于依赖项数量）-- 对大多数流水线而言可接受。
Cosign无密钥签名（Sigstore）比基于KMS的密钥更易设置，但需要网络访问。
SLSA Level 3要求封闭构建 -- 这可能需要对流水线进行重大调整。
SBOM存储成本极低（JSON文件），但保留策略可防止存储量无限增长。

Troubleshooting

故障排查

SBOM Generation Failing

SBOM生成失败

Verify the build tool is supported by the SBOM generator (Syft, Trivy, cdxgen)
Check that the container image is accessible at the point SBOM generation runs
For monorepos, ensure the SBOM scope is set to the correct subdirectory

验证SBOM生成器（Syft、Trivy、cdxgen）支持当前构建工具
检查SBOM生成运行时容器镜像是否可访问
对于单体仓库，确保SBOM范围设置为正确的子目录

Cosign Signing Errors

Cosign签名错误

For keyless: verify the OIDC provider (Sigstore/Fulcio) is reachable
For KMS: verify the service account has signing permissions on the key
Check that the Cosign binary version is compatible with the image format

无密钥模式：验证OIDC提供商（Sigstore/Fulcio）是否可访问
KMS模式：验证服务账号对密钥具备签名权限
检查Cosign二进制版本与镜像格式是否兼容

Policy Blocking Deployments

策略阻止部署

Check which specific policy rule is triggering the deny
Use the exemption workflow for known false positives
Verify the policy is evaluating the correct input fields from the pipeline

检查触发拒绝的具体策略规则
对已知误报使用豁免流程
验证策略是否正在评估流水线中的正确输入字段