{"id":824,"date":"2026-03-21T20:11:54","date_gmt":"2026-03-21T19:11:54","guid":{"rendered":"https:\/\/secure-pipelines.com\/ci-cd-security\/lab-secure-build-pipeline-tekton-tekton-chains-2\/"},"modified":"2026-03-25T10:01:47","modified_gmt":"2026-03-25T09:01:47","slug":"lab-secure-build-pipeline-tekton-tekton-chains","status":"publish","type":"post","link":"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-secure-build-pipeline-tekton-tekton-chains\/","title":{"rendered":"\u0645\u062e\u062a\u0628\u0631: \u062a\u0646\u0641\u064a\u0630 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0646\u0627\u0621 \u0622\u0645\u0646 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Tekton \u0648 Tekton Chains"},"content":{"rendered":"<h2>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629<\/h2>\n<p>Tekton \u0647\u0648 \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0642\u0648\u064a \u064a\u0639\u0645\u0644 \u0628\u0634\u0643\u0644 \u0623\u0635\u0644\u064a \u0639\u0644\u0649 Kubernetes \u0644\u0625\u0646\u0634\u0627\u0621 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0627\u0644\u0645\u0633\u062a\u0645\u0631 \u0648\u0627\u0644\u062a\u0633\u0644\u064a\u0645 \u0627\u0644\u0645\u0633\u062a\u0645\u0631 (CI\/CD). \u064a\u0639\u0645\u0644 \u0643\u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u0646 \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0645\u062e\u0635\u0635\u0629 (CRDs) \u0639\u0644\u0649 \u0623\u064a \u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes\u060c \u0645\u0645\u0627 \u064a\u062a\u064a\u062d \u0644\u0643 \u062a\u0639\u0631\u064a\u0641 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0643\u0645\u0644\u0641\u0627\u062a YAML \u062a\u0635\u0631\u064a\u062d\u064a\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0646\u0642\u0644 \u0628\u064a\u0646 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629.<\/p>\n<p><strong>Tekton Chains<\/strong> \u0647\u0648 \u0645\u0634\u0631\u0648\u0639 \u0645\u0631\u0627\u0641\u0642 \u064a\u0636\u064a\u0641 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0625\u0644\u0649 \u062e\u0637\u0648\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 Tekton \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0628\u0645\u062c\u0631\u062f \u062a\u062b\u0628\u064a\u062a\u0647\u060c \u064a\u0631\u0627\u0642\u0628 Chains \u0639\u0645\u0644\u064a\u0627\u062a TaskRun \u0627\u0644\u0645\u0643\u062a\u0645\u0644\u0629\u060c \u0648\u064a\u0648\u0642\u0651\u0639 \u0646\u062a\u0627\u0626\u062c\u0647\u0627 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign \u0623\u0648 \u0623\u062f\u0648\u0627\u062a \u062a\u0648\u0642\u064a\u0639 \u0623\u062e\u0631\u0649\u060c \u0648\u064a\u064f\u0646\u0634\u0626 <a href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/artifact-provenance-attestations-slsa-in-toto\/\">\u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0635\u062f\u0631 SLSA<\/a> \u2014 \u0643\u0644 \u0630\u0644\u0643 \u062f\u0648\u0646 \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u0623\u064a \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0641\u064a \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062d\u0627\u0644\u064a\u0629.<\/p>\n<p>\u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u0645\u0627 \u064a\u0644\u064a:<\/p>\n<ul>\n<li>\u0646\u0634\u0631 Tekton Pipelines \u0648 Tekton Chains \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes \u0645\u062d\u0644\u064a\u0629<\/li>\n<li>\u062a\u0643\u0648\u064a\u0646 Chains \u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0648\u0625\u0646\u0634\u0627\u0621 \u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0635\u062f\u0631 in-toto<\/li>\n<li>\u0628\u0646\u0627\u0621 \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u0645\u0646 \u062e\u0644\u0627\u0644 Tekton Pipeline<\/li>\n<li>\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0634\u0647\u0627\u062f\u0629 \u0645\u0635\u062f\u0631 SLSA \u0627\u0644\u0645\u064f\u0646\u0634\u0623\u0629 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b<\/li>\n<li>\u0625\u0636\u0627\u0641\u0629 \u062e\u0637\u0648\u0629 \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0625\u0644\u0649 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628<\/li>\n<li>\u0627\u0633\u062a\u0643\u0634\u0627\u0641 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore Fulcio<\/li>\n<li>\u0641\u0631\u0636 \u0633\u064a\u0627\u0633\u0627\u062a \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631<\/li>\n<\/ul>\n<p>\u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0633\u064a\u0643\u0648\u0646 \u0644\u062f\u064a\u0643 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0646\u0627\u0621 \u0622\u0645\u0646 \u064a\u0639\u0645\u0644 \u0628\u0627\u0644\u0643\u0627\u0645\u0644 \u0648\u064a\u0646\u062a\u062c \u0635\u0648\u0631 \u062d\u0627\u0648\u064a\u0627\u062a \u0645\u0648\u0642\u0651\u0639\u0629 \u0648\u0645\u064f\u0635\u062f\u0651\u0642\u0629 \u0645\u0639 \u0645\u0635\u062f\u0631 \u0642\u0627\u0628\u0644 \u0644\u0644\u062a\u062d\u0642\u0642 \u2014 \u0645\u062d\u0642\u0642\u0627\u064b \u0627\u0644\u062a\u0648\u0627\u0641\u0642 \u0645\u0639 SLSA Level 2 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b.<\/p>\n<h2>\u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n<p>\u0642\u0628\u0644 \u0627\u0644\u0628\u062f\u0621 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u062b\u0628\u064a\u062a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u0639\u0644\u0649 \u0645\u062d\u0637\u0629 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643:<\/p>\n<ul>\n<li><strong>\u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes<\/strong> \u2014 \u0633\u0646\u0633\u062a\u062e\u062f\u0645 <a href=\"https:\/\/kind.sigs.k8s.io\/\" target=\"_blank\" rel=\"noopener\">kind<\/a> (Kubernetes in Docker) \u0644\u0625\u0646\u0634\u0627\u0621 \u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u062d\u0644\u064a\u0629. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0630\u0644\u0643\u060c \u064a\u0639\u0645\u0644 minikube \u0623\u064a\u0636\u0627\u064b.<\/li>\n<li><strong>kubectl<\/strong> \u2014 \u0648\u0627\u062c\u0647\u0629 \u0633\u0637\u0631 \u0623\u0648\u0627\u0645\u0631 Kubernetes\u060c \u0627\u0644\u0625\u0635\u062f\u0627\u0631 1.26 \u0623\u0648 \u0623\u062d\u062f\u062b.<\/li>\n<li><strong>Helm<\/strong> \u2014 \u0645\u062f\u064a\u0631 \u062d\u0632\u0645 Kubernetes\u060c \u0627\u0644\u0625\u0635\u062f\u0627\u0631 3.x.<\/li>\n<li><strong>tkn<\/strong> \u2014 <a href=\"https:\/\/tekton.dev\/docs\/cli\/\" target=\"_blank\" rel=\"noopener\">\u0648\u0627\u062c\u0647\u0629 \u0633\u0637\u0631 \u0623\u0648\u0627\u0645\u0631 Tekton<\/a>\u060c \u062a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u0644\u062a\u0641\u0627\u0639\u0644 \u0645\u0639 \u0645\u0648\u0627\u0631\u062f Tekton.<\/li>\n<li><strong>Cosign<\/strong> \u2014 \u062c\u0632\u0621 \u0645\u0646 <a href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/signing-verifying-container-images-sigstore-cosign\/\">\u0645\u0634\u0631\u0648\u0639 Sigstore<\/a>\u060c \u064a\u064f\u0633\u062a\u062e\u062f\u0645 \u0644\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627.<\/li>\n<li><strong>jq<\/strong> \u2014 \u0645\u0639\u0627\u0644\u062c JSON \u0644\u0633\u0637\u0631 \u0627\u0644\u0623\u0648\u0627\u0645\u0631 \u0644\u0641\u062d\u0635 \u062d\u0645\u0648\u0644\u0627\u062a \u0634\u0647\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631.<\/li>\n<li><strong>\u0633\u062c\u0644 \u062d\u0627\u0648\u064a\u0627\u062a<\/strong> \u2014 \u0633\u062c\u0644 \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u062f\u0641\u0639 \u0625\u0644\u064a\u0647\u060c \u0645\u062b\u0644 GitHub Container Registry (GHCR) \u0623\u0648 Docker Hub. \u0633\u062a\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0648\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0635\u0627\u0644\u062d\u0629.<\/li>\n<\/ul>\n<p>\u064a\u0641\u062a\u0631\u0636 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0625\u0644\u0645\u0627\u0645 \u0628\u0623\u0633\u0627\u0633\u064a\u0627\u062a Kubernetes (pods\u060c namespaces\u060c configmaps) \u0648\u0645\u0641\u0627\u0647\u064a\u0645 CI\/CD \u0627\u0644\u0639\u0627\u0645\u0629.<\/p>\n<h2>\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629<\/h2>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0645\u062c\u0645\u0648\u0639\u0629 kind<\/h3>\n<p>\u0627\u0628\u062f\u0623 \u0628\u0625\u0646\u0634\u0627\u0621 \u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes \u062c\u062f\u064a\u062f\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 kind:<\/p>\n<pre><code>kind create cluster --name tekton-lab\nkubectl cluster-info --context kind-tekton-lab<\/code><\/pre>\n<p>\u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u062a\u0639\u0645\u0644:<\/p>\n<pre><code>kubectl get nodes\n# NAME                       STATUS   ROLES           AGE   VERSION\n# tekton-lab-control-plane   Ready    control-plane   30s   v1.31.0<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u062b\u0628\u064a\u062a Tekton Pipelines<\/h3>\n<p>\u0642\u0645 \u0628\u062a\u062b\u0628\u064a\u062a \u0623\u062d\u062f\u062b \u0625\u0635\u062f\u0627\u0631 \u0645\u0646 Tekton Pipelines:<\/p>\n<pre><code>kubectl apply --filename https:\/\/storage.googleapis.com\/tekton-releases\/pipeline\/latest\/release.yaml<\/code><\/pre>\n<p>\u0627\u0646\u062a\u0638\u0631 \u062d\u062a\u0649 \u062a\u0635\u0628\u062d pods \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0640 Tekton Pipelines \u062c\u0627\u0647\u0632\u0629:<\/p>\n<pre><code>kubectl get pods -n tekton-pipelines --watch<\/code><\/pre>\n<p>\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 pods <code>tekton-pipelines-controller<\/code> \u0648 <code>tekton-pipelines-webhook<\/code> \u062a\u0639\u0645\u0644:<\/p>\n<pre><code>NAME                                           READY   STATUS    RESTARTS   AGE\ntekton-pipelines-controller-7f6b9b5b95-xk2rj   1\/1     Running   0          45s\ntekton-pipelines-webhook-6c4f8b7d4f-m9nlp      1\/1     Running   0          45s<\/code><\/pre>\n<h3>\u0627\u0644\u062e\u0637\u0648\u0629 3: \u062a\u062b\u0628\u064a\u062a Tekton Chains<\/h3>\n<p>\u0642\u0645 \u0628\u062a\u062b\u0628\u064a\u062a Tekton Chains \u0641\u064a \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0647:<\/p>\n<pre><code>kubectl apply --filename https:\/\/storage.googleapis.com\/tekton-releases\/chains\/latest\/release.yaml<\/code><\/pre>\n<p>\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 Chains \u064a\u0639\u0645\u0644:<\/p>\n<pre><code>kubectl get pods -n tekton-chains\n# NAME                                        READY   STATUS    RESTARTS   AGE\n# tekton-chains-controller-5f4b7c8d6f-r7t2x   1\/1     Running   0          30s<\/code><\/pre>\n<p>\u0641\u064a \u0647\u0630\u0647 \u0627\u0644\u0645\u0631\u062d\u0644\u0629\u060c \u0643\u0644 \u0645\u0646 Tekton Pipelines \u0648 Tekton Chains \u064a\u0639\u0645\u0644\u0627\u0646 \u0639\u0644\u0649 \u0645\u062c\u0645\u0648\u0639\u062a\u0643.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u062a\u0643\u0648\u064a\u0646 Tekton Chains \u0644\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign<\/h2>\n<p>\u064a\u062d\u062a\u0627\u062c Tekton Chains \u0625\u0644\u0649 \u0645\u0641\u062a\u0627\u062d \u062a\u0648\u0642\u064a\u0639 \u0648\u062a\u0643\u0648\u064a\u0646 \u0644\u0645\u0639\u0631\u0641\u0629 \u0643\u064a\u0641\u064a\u0629 \u0648\u0645\u0643\u0627\u0646 \u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u0625\u0646\u0634\u0627\u0621 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d Cosign \u0648\u062a\u0643\u0648\u064a\u0646 Chains \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u062e\u0632\u064a\u0646 OCI \u0645\u0639 \u062a\u0646\u0633\u064a\u0642 \u0634\u0647\u0627\u062f\u0627\u062a in-toto.<\/p>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d Cosign<\/h3>\n<p>\u064a\u0645\u0643\u0646 \u0644\u0640 Cosign \u0625\u0646\u0634\u0627\u0621 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u0648\u062a\u062e\u0632\u064a\u0646\u0647 \u0645\u0628\u0627\u0634\u0631\u0629 \u0643\u0640 Kubernetes Secret \u0641\u064a \u0645\u0633\u0627\u062d\u0629 \u0627\u0644\u0623\u0633\u0645\u0627\u0621 <code>tekton-chains<\/code>:<\/p>\n<pre><code>cosign generate-key-pair k8s:\/\/tekton-chains\/signing-secrets<\/code><\/pre>\n<p>\u0633\u064a\u064f\u0637\u0644\u0628 \u0645\u0646\u0643 \u0625\u062f\u062e\u0627\u0644 \u0643\u0644\u0645\u0629 \u0645\u0631\u0648\u0631 \u0644\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0644\u0636\u063a\u0637 \u0639\u0644\u0649 Enter \u0644\u062a\u0631\u0643\u0647\u0627 \u0641\u0627\u0631\u063a\u0629. \u064a\u0646\u0634\u0626 Cosign \u0633\u0631\u0627\u064b \u0628\u0627\u0633\u0645 <code>signing-secrets<\/code> \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u062e\u0627\u0635 \u0648\u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645 \u0648\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631.<\/p>\n<p>\u062a\u062d\u0642\u0642 \u0645\u0646 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0633\u0631:<\/p>\n<pre><code>kubectl get secret signing-secrets -n tekton-chains\n# NAME              TYPE     DATA   AGE\n# signing-secrets   Opaque   3      10s<\/code><\/pre>\n<h3>\u062a\u0643\u0648\u064a\u0646 \u062a\u062e\u0632\u064a\u0646 \u0648\u062a\u0646\u0633\u064a\u0642 Chains<\/h3>\n<p>\u0628\u0639\u062f \u0630\u0644\u0643\u060c \u0642\u0645 \u0628\u062a\u0643\u0648\u064a\u0646 Chains \u0644\u062a\u062e\u0632\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0641\u064a \u0633\u062c\u0644 OCI \u0628\u062c\u0627\u0646\u0628 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u0644\u0625\u0646\u0634\u0627\u0621 \u0634\u0647\u0627\u062f\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u0628\u062a\u0646\u0633\u064a\u0642 in-toto:<\/p>\n<pre><code>kubectl patch configmap chains-config -n tekton-chains \\\n  -p='{\"data\":{\"artifacts.oci.storage\":\"oci\",\"artifacts.taskrun.format\":\"in-toto\",\"artifacts.taskrun.storage\":\"oci\"}}'<\/code><\/pre>\n<p>\u064a\u062e\u0628\u0631 \u0647\u0630\u0627 \u0627\u0644\u062a\u0643\u0648\u064a\u0646 Chains \u0628\u0645\u0627 \u064a\u0644\u064a:<\/p>\n<ul>\n<li><strong>artifacts.oci.storage: oci<\/strong> \u2014 \u062a\u062e\u0632\u064a\u0646 \u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0639\u0646\u0627\u0635\u0631 OCI \u0641\u064a \u0633\u062c\u0644 OCI<\/li>\n<li><strong>artifacts.taskrun.format: in-toto<\/strong> \u2014 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0628\u062a\u0646\u0633\u064a\u0642 <a href=\"https:\/\/in-toto.io\/\" target=\"_blank\" rel=\"noopener\">in-toto<\/a>\u060c \u0648\u0647\u0648 \u0627\u0644\u0645\u0639\u064a\u0627\u0631 \u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0635\u062f\u0631 SLSA<\/li>\n<li><strong>artifacts.taskrun.storage: oci<\/strong> \u2014 \u062a\u062e\u0632\u064a\u0646 \u0634\u0647\u0627\u062f\u0627\u062a TaskRun \u0641\u064a \u0633\u062c\u0644 OCI<\/li>\n<\/ul>\n<h3>\u0625\u0639\u0627\u062f\u0629 \u062a\u0634\u063a\u064a\u0644 \u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 Chains<\/h3>\n<p>\u0628\u0639\u062f \u062a\u063a\u064a\u064a\u0631 \u0627\u0644\u062a\u0643\u0648\u064a\u0646\u060c \u0623\u0639\u062f \u062a\u0634\u063a\u064a\u0644 \u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 Chains \u0644\u062a\u0637\u0628\u064a\u0642 \u0627\u0644\u0625\u0639\u062f\u0627\u062f\u0627\u062a \u0627\u0644\u062c\u062f\u064a\u062f\u0629:<\/p>\n<pre><code>kubectl rollout restart deployment tekton-chains-controller -n tekton-chains\nkubectl rollout status deployment tekton-chains-controller -n tekton-chains<\/code><\/pre>\n<h3>\u0643\u064a\u0641 \u064a\u0639\u0645\u0644 Chains<\/h3>\n<p>\u0645\u0639 \u062a\u0643\u0648\u064a\u0646 Chains\u060c \u0625\u0644\u064a\u0643 \u0645\u0627 \u064a\u062d\u062f\u062b \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0639\u0646\u062f \u0627\u0643\u062a\u0645\u0627\u0644 \u0623\u064a TaskRun:<\/p>\n<ol>\n<li>\u062a\u0643\u062a\u0634\u0641 \u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 Chains \u0639\u0645\u0644\u064a\u0629 TaskRun \u0627\u0644\u0645\u0643\u062a\u0645\u0644\u0629.<\/li>\n<li>\u062a\u0641\u062d\u0635 \u0646\u062a\u0627\u0626\u062c TaskRun \u0628\u062d\u062b\u0627\u064b \u0639\u0646 \u0645\u0631\u0627\u062c\u0639 \u0635\u0648\u0631 OCI (\u062a\u062d\u062f\u064a\u062f\u0627\u064b \u0627\u0644\u0646\u062a\u0627\u0626\u062c \u0627\u0644\u0645\u0633\u0645\u0627\u0629 <code>IMAGE_URL<\/code> \u0648 <code>IMAGE_DIGEST<\/code>).<\/li>\n<li>\u062a\u0648\u0642\u0651\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0641\u062a\u0627\u062d Cosign \u0627\u0644\u0645\u062e\u0632\u0646 \u0641\u064a \u0627\u0644\u0633\u0631 <code>signing-secrets<\/code>.<\/li>\n<li>\u062a\u064f\u0646\u0634\u0626 \u0634\u0647\u0627\u062f\u0629 \u0645\u0635\u062f\u0631 in-toto \u062a\u0644\u062a\u0642\u0637 \u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<li>\u062a\u062f\u0641\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0627\u0644\u0634\u0647\u0627\u062f\u0629 \u0625\u0644\u0649 \u0633\u062c\u0644 OCI.<\/li>\n<li>\u062a\u064f\u0636\u064a\u0641 \u062a\u0639\u0644\u064a\u0642\u0627\u064b \u062a\u0648\u0636\u064a\u062d\u064a\u0627\u064b \u0639\u0644\u0649 TaskRun \u0628\u0642\u064a\u0645\u0629 <code>chains.tekton.dev\/signed=true<\/code>.<\/li>\n<\/ol>\n<p>\u0644\u0627 \u064a\u062a\u0637\u0644\u0628 \u0623\u064a \u0645\u0646 \u0647\u0630\u0627 \u0623\u064a \u062a\u0639\u062f\u064a\u0644 \u0639\u0644\u0649 \u0627\u0644\u0645\u0647\u0627\u0645 \u0623\u0648 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0625\u0646\u0634\u0627\u0621 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0628\u0646\u0627\u0621<\/h2>\n<p>\u0627\u0644\u0622\u0646 \u0633\u062a\u0642\u0648\u0645 \u0628\u0625\u0646\u0634\u0627\u0621 Tekton Pipeline \u064a\u0633\u062a\u0646\u0633\u062e \u0645\u0633\u062a\u0648\u062f\u0639 Git \u0648\u064a\u0628\u0646\u064a \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Kaniko. \u0623\u0648\u0644\u0627\u064b\u060c \u0642\u0645 \u0628\u0625\u0639\u062f\u0627\u062f \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062c\u0644 \u062d\u062a\u0649 \u064a\u062a\u0645\u0643\u0646 Tekton \u0645\u0646 \u062f\u0641\u0639 \u0627\u0644\u0635\u0648\u0631.<\/p>\n<h3>\u062a\u0643\u0648\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062c\u0644<\/h3>\n<p>\u0623\u0646\u0634\u0626 Kubernetes Secret \u0628\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u0627\u0633\u062a\u0628\u062f\u0644 \u0627\u0644\u0642\u064a\u0645 \u0627\u0644\u0645\u0624\u0642\u062a\u0629 \u0628\u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0633\u062c\u0644 \u0627\u0644\u0641\u0639\u0644\u064a\u0629:<\/p>\n<pre><code>export REGISTRY_SERVER=ghcr.io\nexport REGISTRY_USER=your-username\nexport REGISTRY_PASSWORD=your-token\n\nkubectl create secret docker-registry registry-credentials \\\n  --docker-server=$REGISTRY_SERVER \\\n  --docker-username=$REGISTRY_USER \\\n  --docker-password=$REGISTRY_PASSWORD\n\nkubectl patch serviceaccount default -p '{\"secrets\": [{\"name\": \"registry-credentials\"}]}'<\/code><\/pre>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0645\u0647\u0645\u0629 \u0627\u0644\u0628\u0646\u0627\u0621<\/h3>\n<p>\u0623\u0646\u0634\u0626 \u0645\u0644\u0641\u0627\u064b \u0628\u0627\u0633\u0645 <code>build-task.yaml<\/code>. \u062a\u0642\u0628\u0644 \u0647\u0630\u0647 \u0627\u0644\u0645\u0647\u0645\u0629 \u0639\u0646\u0648\u0627\u0646 URL \u0644\u0645\u0633\u062a\u0648\u062f\u0639 Git \u0648\u0627\u0633\u0645 \u0635\u0648\u0631\u0629 \u0645\u0633\u062a\u0647\u062f\u0641\u0629 \u0648\u062a\u0633\u062a\u062e\u062f\u0645 Kaniko \u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u0635\u0648\u0631\u0629 \u0648\u062f\u0641\u0639\u0647\u0627:<\/p>\n<pre><code>apiVersion: tekton.dev\/v1\nkind: Task\nmetadata:\n  name: git-clone-and-build\nspec:\n  params:\n    - name: repo-url\n      type: string\n      description: The Git repository URL to clone\n    - name: image\n      type: string\n      description: The image reference to build and push (e.g., ghcr.io\/user\/app:tag)\n  results:\n    - name: IMAGE_URL\n      description: The image URL that was built\n    - name: IMAGE_DIGEST\n      description: The digest of the built image\n  workspaces:\n    - name: source\n  steps:\n    - name: clone\n      image: alpine\/git:2.43.0\n      script: |\n        #!\/usr\/bin\/env sh\n        set -eu\n        git clone $(params.repo-url) $(workspaces.source.path)\/src\n        echo \"Repository cloned successfully\"\n    - name: build-and-push\n      image: gcr.io\/kaniko-project\/executor:latest\n      args:\n        - --dockerfile=$(workspaces.source.path)\/src\/Dockerfile\n        - --context=$(workspaces.source.path)\/src\n        - --destination=$(params.image)\n        - --digest-file=$(results.IMAGE_DIGEST.path)\n      securityContext:\n        runAsUser: 0\n    - name: write-url\n      image: alpine:3.19\n      script: |\n        #!\/usr\/bin\/env sh\n        set -eu\n        echo -n \"$(params.image)\" &gt; \"$(results.IMAGE_URL.path)\"\n        echo \"Image URL written: $(params.image)\"<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642 \u0627\u0644\u0645\u0647\u0645\u0629:<\/p>\n<pre><code>kubectl apply -f build-task.yaml<\/code><\/pre>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0645\u0647\u0645\u0629 \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 (\u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0644\u0627\u062d\u0642\u0627\u064b)<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>vuln-scan-task.yaml<\/code> \u2014 \u0633\u062a\u0636\u064a\u0641 \u0647\u0630\u0627 \u0625\u0644\u0649 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0641\u064a \u062a\u0645\u0631\u064a\u0646 \u0644\u0627\u062d\u0642:<\/p>\n<pre><code>apiVersion: tekton.dev\/v1\nkind: Task\nmetadata:\n  name: vulnerability-scan\nspec:\n  params:\n    - name: image\n      type: string\n      description: The image reference to scan\n  steps:\n    - name: scan\n      image: anchore\/grype:latest\n      args:\n        - $(params.image)\n        - --fail-on\n        - critical\n        - --output\n        - table<\/code><\/pre>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>build-pipeline.yaml<\/code> \u0627\u0644\u0630\u064a \u064a\u0631\u0628\u0637 \u062e\u0637\u0648\u0627\u062a \u0627\u0644\u0627\u0633\u062a\u0646\u0633\u0627\u062e \u0648\u0627\u0644\u0628\u0646\u0627\u0621:<\/p>\n<pre><code>apiVersion: tekton.dev\/v1\nkind: Pipeline\nmetadata:\n  name: secure-build\nspec:\n  params:\n    - name: repo-url\n      type: string\n    - name: image\n      type: string\n  workspaces:\n    - name: shared-workspace\n  tasks:\n    - name: build\n      taskRef:\n        name: git-clone-and-build\n      params:\n        - name: repo-url\n          value: $(params.repo-url)\n        - name: image\n          value: $(params.image)\n      workspaces:\n        - name: source\n          workspace: shared-workspace<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628:<\/p>\n<pre><code>kubectl apply -f build-pipeline.yaml<\/code><\/pre>\n<h3>\u062a\u0634\u063a\u064a\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628<\/h3>\n<p>\u0623\u0646\u0634\u0626 PipelineRun \u0644\u062a\u0646\u0641\u064a\u0630 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628. \u0627\u0633\u062a\u0628\u062f\u0644 \u0645\u0631\u062c\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0633\u062c\u0644\u0643:<\/p>\n<pre><code>apiVersion: tekton.dev\/v1\nkind: PipelineRun\nmetadata:\n  generateName: secure-build-run-\nspec:\n  pipelineRef:\n    name: secure-build\n  params:\n    - name: repo-url\n      value: \"https:\/\/github.com\/GoogleContainerTools\/kaniko.git\"\n    - name: image\n      value: \"ghcr.io\/your-username\/tekton-lab:v1\"\n  workspaces:\n    - name: shared-workspace\n      volumeClaimTemplate:\n        spec:\n          accessModes:\n            - ReadWriteOnce\n          resources:\n            requests:\n              storage: 1Gi<\/code><\/pre>\n<p>\u0627\u062d\u0641\u0638 \u0647\u0630\u0627 \u0628\u0627\u0633\u0645 <code>pipelinerun.yaml<\/code> \u0648\u0623\u0646\u0634\u0626\u0647:<\/p>\n<pre><code>kubectl create -f pipelinerun.yaml<\/code><\/pre>\n<p>\u0631\u0627\u0642\u0628 \u062a\u0646\u0641\u064a\u0630 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628:<\/p>\n<pre><code>tkn pipelinerun logs -f --last\n# [build : clone] Cloning into '\/workspace\/source\/src'...\n# [build : clone] Repository cloned successfully\n# [build : build-and-push] INFO[0001] Resolved base image golang:1.22\n# [build : build-and-push] ...\n# [build : build-and-push] INFO[0045] Pushing image to ghcr.io\/your-username\/tekton-lab:v1\n# [build : write-url] Image URL written: ghcr.io\/your-username\/tekton-lab:v1<\/code><\/pre>\n<p>\u064a\u062c\u0628 \u0623\u0646 \u064a\u0643\u062a\u0645\u0644 \u0627\u0644\u0628\u0646\u0627\u0621 \u0628\u0646\u062c\u0627\u062d. \u064a\u0645\u0643\u0646\u0643 \u0623\u064a\u0636\u0627\u064b \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062d\u0627\u0644\u0629 PipelineRun:<\/p>\n<pre><code>tkn pipelinerun list\n# NAME                     STARTED        DURATION   STATUS\n# secure-build-run-x7k2p   1 minute ago   1m 15s     Succeeded<\/code><\/pre>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u062a\u0644\u0642\u0627\u0626\u064a<\/h2>\n<p>\u0628\u0645\u062c\u0631\u062f \u0627\u0643\u062a\u0645\u0627\u0644 PipelineRun\u060c \u064a\u0643\u062a\u0634\u0641 Tekton Chains \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0639\u0645\u0644\u064a\u0629 TaskRun \u0627\u0644\u0645\u0643\u062a\u0645\u0644\u0629\u060c \u0648\u064a\u0648\u0642\u0651\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u0645\u0628\u0646\u064a\u0629\u060c \u0648\u064a\u064f\u0636\u064a\u0641 \u062a\u0639\u0644\u064a\u0642\u0627\u062a \u062a\u0648\u0636\u064a\u062d\u064a\u0629 \u0639\u0644\u0649 TaskRun. \u0643\u0644 \u0647\u0630\u0627 \u064a\u062d\u062f\u062b \u0641\u064a \u0627\u0644\u062e\u0644\u0641\u064a\u0629 \u2014 \u062f\u0648\u0646 \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0641\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/p>\n<h3>\u0627\u0646\u062a\u0638\u0627\u0631 \u062a\u0648\u0642\u064a\u0639 Chains<\/h3>\n<p>\u064a\u0639\u0627\u0644\u062c Chains \u0639\u0645\u0644\u064a\u0627\u062a TaskRun \u0627\u0644\u0645\u0643\u062a\u0645\u0644\u0629 \u0628\u0634\u0643\u0644 \u063a\u064a\u0631 \u0645\u062a\u0632\u0627\u0645\u0646. \u0627\u0646\u062a\u0638\u0631 \u0628\u0636\u0639 \u0644\u062d\u0638\u0627\u062a\u060c \u062b\u0645 \u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0639\u0644\u064a\u0642\u0627\u062a TaskRun \u0627\u0644\u062a\u0648\u0636\u064a\u062d\u064a\u0629:<\/p>\n<pre><code># Get the TaskRun name from the PipelineRun\nTASKRUN=$(kubectl get taskrun -l tekton.dev\/pipeline=secure-build -o name --sort-by=.metadata.creationTimestamp | tail -1)\necho $TASKRUN\n\n# Check if Chains has signed it\nkubectl get $TASKRUN -o jsonpath='{.metadata.annotations.chains\\.tekton\\.dev\/signed}'<\/code><\/pre>\n<p>\u064a\u062c\u0628 \u0623\u0646 \u064a\u0643\u0648\u0646 \u0627\u0644\u0646\u0627\u062a\u062c:<\/p>\n<pre><code>true<\/code><\/pre>\n<p>\u0625\u0630\u0627 \u0643\u0627\u0646 \u0644\u0627 \u064a\u0632\u0627\u0644 \u0641\u0627\u0631\u063a\u0627\u064b\u060c \u0627\u0646\u062a\u0638\u0631 \u0628\u0636\u0639 \u062b\u0648\u0627\u0646\u064d \u0648\u062d\u0627\u0648\u0644 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649 \u2014 \u064a\u062d\u062a\u0627\u062c Chains \u0648\u0642\u062a\u0627\u064b \u0644\u0645\u0639\u0627\u0644\u062c\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639.<\/p>\n<h3>\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign<\/h3>\n<p>\u0627\u0644\u0622\u0646 \u062a\u062d\u0642\u0642 \u0645\u0646 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645 \u0645\u0646 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d Cosign \u0627\u0644\u0630\u064a \u0623\u0646\u0634\u0623\u062a\u0647 \u0633\u0627\u0628\u0642\u0627\u064b:<\/p>\n<pre><code>cosign verify \\\n  --key k8s:\/\/tekton-chains\/signing-secrets \\\n  ghcr.io\/your-username\/tekton-lab:v1<\/code><\/pre>\n<p>\u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0646\u0627\u062a\u062c\u0627\u064b \u064a\u0624\u0643\u062f \u0646\u062c\u0627\u062d \u0627\u0644\u062a\u062d\u0642\u0642:<\/p>\n<pre><code>Verification for ghcr.io\/your-username\/tekton-lab:v1 --\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - The signatures were verified against the specified public key\n\n[{\"critical\":{\"identity\":{\"docker-reference\":\"ghcr.io\/your-username\/tekton-lab\"},\"image\":{\"docker-manifest-digest\":\"sha256:abc123...\"},\"type\":\"cosign container image signature\"},\"optional\":{}}]<\/code><\/pre>\n<h3>\u0641\u062d\u0635 \u062a\u0639\u0644\u064a\u0642\u0627\u062a TaskRun \u0627\u0644\u062a\u0648\u0636\u064a\u062d\u064a\u0629<\/h3>\n<p>\u064a\u064f\u0636\u064a\u0641 Chains \u062a\u0639\u0644\u064a\u0642\u0627\u062a \u062a\u0648\u0636\u064a\u062d\u064a\u0629 \u063a\u0646\u064a\u0629 \u0639\u0644\u0649 TaskRun \u062d\u0648\u0644 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u062a\u0648\u0642\u064a\u0639:<\/p>\n<pre><code>kubectl get $TASKRUN -o jsonpath='{.metadata.annotations}' | jq .<\/code><\/pre>\n<p>\u062a\u0634\u0645\u0644 \u0627\u0644\u062a\u0639\u0644\u064a\u0642\u0627\u062a \u0627\u0644\u062a\u0648\u0636\u064a\u062d\u064a\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629:<\/p>\n<pre><code>{\n  \"chains.tekton.dev\/signed\": \"true\",\n  \"chains.tekton.dev\/transparency\": \"https:\/\/rekor.sigstore.dev\/api\/v1\/log\/entries?logIndex=...\",\n  \"chains.tekton.dev\/signature-taskrun-...\": \"...\"\n}<\/code><\/pre>\n<p>\u064a\u0624\u0643\u062f \u0627\u0644\u062a\u0639\u0644\u064a\u0642 \u0627\u0644\u062a\u0648\u0636\u064a\u062d\u064a <code>chains.tekton.dev\/signed=true<\/code> \u0623\u0646 Chains \u0639\u0627\u0644\u062c \u0648\u0648\u0642\u0651\u0639 \u0647\u0630\u0627 TaskRun \u0628\u0646\u062c\u0627\u062d. \u0625\u0630\u0627 \u062a\u0645 \u062a\u0643\u0648\u064a\u0646 \u0633\u062c\u0644 \u0627\u0644\u0634\u0641\u0627\u0641\u064a\u0629\u060c \u0633\u062a\u0631\u0649 \u0623\u064a\u0636\u0627\u064b \u0645\u0631\u062c\u0639 \u0625\u062f\u062e\u0627\u0644 \u0633\u062c\u0644 Rekor.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0641\u062d\u0635 \u0634\u0647\u0627\u062f\u0629 \u0645\u0635\u062f\u0631 SLSA<\/h2>\n<p>\u0628\u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 \u0627\u0644\u062a\u0648\u0642\u064a\u0639\u0627\u062a \u0627\u0644\u0628\u0633\u064a\u0637\u0629\u060c \u064a\u064f\u0646\u0634\u0626 Tekton Chains \u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0635\u062f\u0631 SLSA \u0643\u0627\u0645\u0644\u0629. \u062a\u0635\u0641 \u0647\u0630\u0647 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a <em>\u0643\u064a\u0641<\/em> \u062a\u0645 \u0628\u0646\u0627\u0621 \u0627\u0644\u0639\u0646\u0635\u0631 \u2014 \u0623\u064a \u0645\u0635\u062f\u0631 \u062a\u0645 \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u060c \u0648\u0645\u0627 \u0647\u064a \u062e\u0637\u0648\u0627\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0627\u0644\u062a\u064a \u0646\u064f\u0641\u0651\u0630\u062a\u060c \u0648\u0645\u0627 \u0647\u064a \u0627\u0644\u0623\u062f\u0648\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u0629.<\/p>\n<h3>\u062c\u0644\u0628 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631<\/h3>\n<p>\u0627\u0633\u062a\u062e\u062f\u0645 Cosign \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0634\u0647\u0627\u062f\u0629 in-toto \u0648\u0627\u0633\u062a\u0631\u062c\u0627\u0639\u0647\u0627:<\/p>\n<pre><code>cosign verify-attestation \\\n  --key k8s:\/\/tekton-chains\/signing-secrets \\\n  --type slsaprovenance \\\n  ghcr.io\/your-username\/tekton-lab:v1 | jq -r '.payload' | base64 -d | jq .<\/code><\/pre>\n<h3>\u0641\u0647\u0645 \u0647\u064a\u0643\u0644 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631<\/h3>\n<p>\u062a\u062a\u0628\u0639 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u062a\u0646\u0633\u064a\u0642 \u0628\u064a\u0627\u0646 in-toto \u0645\u0639 \u0645\u064f\u0633\u0646\u062f SLSA Provenance. \u0641\u064a\u0645\u0627 \u064a\u0644\u064a \u0634\u0631\u062d \u0644\u0644\u062d\u0642\u0648\u0644 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629:<\/p>\n<pre><code>{\n  \"_type\": \"https:\/\/in-toto.io\/Statement\/v0.1\",\n  \"predicateType\": \"https:\/\/slsa.dev\/provenance\/v0.2\",\n  \"subject\": [\n    {\n      \"name\": \"ghcr.io\/your-username\/tekton-lab\",\n      \"digest\": {\n        \"sha256\": \"abc123def456...\"\n      }\n    }\n  ],\n  \"predicate\": {\n    \"builder\": {\n      \"id\": \"https:\/\/tekton.dev\/chains\/v2\"\n    },\n    \"buildType\": \"tekton.dev\/v1beta1\/TaskRun\",\n    \"invocation\": {\n      \"configSource\": {},\n      \"parameters\": {\n        \"repo-url\": \"https:\/\/github.com\/GoogleContainerTools\/kaniko.git\",\n        \"image\": \"ghcr.io\/your-username\/tekton-lab:v1\"\n      }\n    },\n    \"buildConfig\": {\n      \"steps\": [\n        {\n          \"entryPoint\": \"...\",\n          \"arguments\": null,\n          \"environment\": {\n            \"container\": \"clone\",\n            \"image\": \"alpine\/git:2.43.0@sha256:...\"\n          }\n        },\n        {\n          \"entryPoint\": \"...\",\n          \"environment\": {\n            \"container\": \"build-and-push\",\n            \"image\": \"gcr.io\/kaniko-project\/executor:latest@sha256:...\"\n          }\n        }\n      ]\n    },\n    \"materials\": [\n      {\n        \"uri\": \"oci:\/\/alpine\/git:2.43.0\",\n        \"digest\": { \"sha256\": \"...\" }\n      },\n      {\n        \"uri\": \"oci:\/\/gcr.io\/kaniko-project\/executor:latest\",\n        \"digest\": { \"sha256\": \"...\" }\n      }\n    ]\n  }\n}<\/code><\/pre>\n<p>\u062f\u0639\u0648\u0646\u0627 \u0646\u0633\u062a\u0639\u0631\u0636 \u0643\u0644 \u062d\u0642\u0644:<\/p>\n<ul>\n<li><strong>subject<\/strong> \u2014 \u0627\u0644\u0639\u0646\u0635\u0631 \u0627\u0644\u0630\u064a \u062a\u0645 \u0625\u0646\u062a\u0627\u062c\u0647\u060c \u0645\u064f\u0639\u0631\u064e\u0651\u0641 \u0628\u0639\u0646\u0648\u0627\u0646 URL \u0627\u0644\u062e\u0627\u0635 \u0628\u0627\u0644\u0633\u062c\u0644 \u0648\u0645\u0644\u062e\u0635 SHA-256. \u0647\u0630\u0627 \u0647\u0648 \u0645\u0627 \u062a\u062a\u0639\u0644\u0642 \u0628\u0647 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631.<\/li>\n<li><strong>builder.id<\/strong> \u2014 \u064a\u064f\u062d\u062f\u062f \u0646\u0638\u0627\u0645 \u0627\u0644\u0628\u0646\u0627\u0621. \u064a\u064f\u0639\u064a\u0651\u0646 Tekton Chains \u0647\u0630\u0627 \u0625\u0644\u0649 <code>https:\/\/tekton.dev\/chains\/v2<\/code>.<\/li>\n<li><strong>buildConfig.steps<\/strong> \u2014 \u064a\u064f\u0633\u062c\u0644 \u0643\u0644 \u062e\u0637\u0648\u0629 \u0646\u064f\u0641\u0651\u0630\u062a \u0641\u064a TaskRun\u060c \u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0627\u0644\u062f\u0642\u064a\u0642\u0629 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\u0629 (\u0645\u062b\u0628\u062a\u0629 \u0628\u0627\u0644\u0645\u0644\u062e\u0635).<\/li>\n<li><strong>materials<\/strong> \u2014 \u064a\u064f\u062f\u0631\u062c \u0639\u0646\u0627\u0635\u0631 \u0627\u0644\u0625\u062f\u062e\u0627\u0644 \u0627\u0644\u0645\u0633\u062a\u0647\u0644\u0643\u0629 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0645\u062b\u0644 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629. \u064a\u062a\u0636\u0645\u0646 \u0643\u0644 \u0639\u0646\u0635\u0631 \u0645\u0644\u062e\u0635\u0627\u064b \u0644\u0636\u0645\u0627\u0646 \u0642\u0627\u0628\u0644\u064a\u0629 \u0627\u0644\u062a\u0643\u0631\u0627\u0631.<\/li>\n<li><strong>invocation.parameters<\/strong> \u2014 \u064a\u0644\u062a\u0642\u0637 \u0627\u0644\u0645\u0639\u0627\u0645\u0644\u0627\u062a \u0627\u0644\u0645\u0645\u0631\u0631\u0629 \u0625\u0644\u0649 TaskRun\u060c \u0645\u064f\u0638\u0647\u0631\u0627\u064b \u0628\u0627\u0644\u0636\u0628\u0637 \u0627\u0644\u0645\u062f\u062e\u0644\u0627\u062a \u0627\u0644\u062a\u064a \u0642\u0627\u062f\u062a \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621.<\/li>\n<\/ul>\n<p>\u062a\u0641\u064a \u0628\u064a\u0627\u0646\u0627\u062a \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u0647\u0630\u0647 \u0628\u0645\u062a\u0637\u0644\u0628\u0627\u062a <strong>SLSA Level 2<\/strong>: \u064a\u062a\u0645 \u062a\u0639\u0631\u064a\u0641 \u0639\u0645\u0644\u064a\u0629 \u0627\u0644\u0628\u0646\u0627\u0621 \u0641\u064a \u062e\u062f\u0645\u0629 \u0628\u0646\u0627\u0621 (Tekton)\u060c \u0648\u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0628\u0648\u0627\u0633\u0637\u0629 Tekton Chains (\u0648\u0644\u064a\u0633 \u0628\u0648\u0627\u0633\u0637\u0629 \u0633\u0643\u0631\u064a\u0628\u062a \u0627\u0644\u0628\u0646\u0627\u0621 \u0646\u0641\u0633\u0647). \u0634\u0647\u0627\u062f\u0629 \u0627\u0644\u0645\u0635\u062f\u0631 \u0645\u0648\u0642\u0651\u0639\u0629\u060c \u0645\u0645\u0627 \u064a\u0648\u0641\u0631 \u062f\u0644\u064a\u0644\u0627\u064b \u0639\u0644\u0649 \u0639\u062f\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0625\u0636\u0627\u0641\u0629 \u0645\u0647\u0645\u0629 \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629<\/h2>\n<p>\u064a\u062c\u0628 \u0623\u0644\u0627 \u064a\u0642\u062a\u0635\u0631 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0622\u0645\u0646 \u0639\u0644\u0649 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0641\u062d\u0633\u0628\u060c \u0628\u0644 \u064a\u062c\u0628 \u0623\u064a\u0636\u0627\u064b \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u062e\u0644\u0648\u0647\u0627 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u0645\u0639\u0631\u0648\u0641\u0629 \u0642\u0628\u0644 \u0627\u0644\u0646\u0634\u0631. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u0633\u062a\u0636\u064a\u0641 \u062e\u0637\u0648\u0629 \u0641\u062d\u0635 \u062b\u063a\u0631\u0627\u062a Grype \u0625\u0644\u0649 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/p>\n<h3>\u062a\u0637\u0628\u064a\u0642 \u0645\u0647\u0645\u0629 \u0627\u0644\u0641\u062d\u0635<\/h3>\n<p>\u0637\u0628\u0651\u0642 \u0645\u0647\u0645\u0629 \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u062a\u064a \u0623\u0646\u0634\u0623\u062a\u0647\u0627 \u0633\u0627\u0628\u0642\u0627\u064b:<\/p>\n<pre><code>kubectl apply -f vuln-scan-task.yaml<\/code><\/pre>\n<h3>\u062a\u062d\u062f\u064a\u062b \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628<\/h3>\n<p>\u062d\u062f\u0651\u062b <code>build-pipeline.yaml<\/code> \u0644\u062a\u0636\u0645\u064a\u0646 \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0628\u0639\u062f \u062e\u0637\u0648\u0629 \u0627\u0644\u0628\u0646\u0627\u0621:<\/p>\n<pre><code>apiVersion: tekton.dev\/v1\nkind: Pipeline\nmetadata:\n  name: secure-build\nspec:\n  params:\n    - name: repo-url\n      type: string\n    - name: image\n      type: string\n  workspaces:\n    - name: shared-workspace\n  tasks:\n    - name: build\n      taskRef:\n        name: git-clone-and-build\n      params:\n        - name: repo-url\n          value: $(params.repo-url)\n        - name: image\n          value: $(params.image)\n      workspaces:\n        - name: source\n          workspace: shared-workspace\n    - name: vulnerability-scan\n      runAfter:\n        - build\n      taskRef:\n        name: vulnerability-scan\n      params:\n        - name: image\n          value: $(params.image)<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0645\u064f\u062d\u062f\u0651\u062b:<\/p>\n<pre><code>kubectl apply -f build-pipeline.yaml<\/code><\/pre>\n<h3>\u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0628\u0635\u0648\u0631\u0629 \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u062b\u063a\u0631\u0627\u062a<\/h3>\n<p>\u0644\u062a\u0648\u0636\u064a\u062d \u0643\u064a\u0641\u064a\u0629 \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u0641\u062d\u0635 \u0644\u0644\u062b\u063a\u0631\u0627\u062a\u060c \u0623\u0646\u0634\u0626 Dockerfile \u064a\u0633\u062a\u062e\u062f\u0645 \u0635\u0648\u0631\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0645\u0639\u0631\u0648\u0641\u0629 \u0628\u0648\u062c\u0648\u062f \u062b\u063a\u0631\u0627\u062a \u0641\u064a\u0647\u0627 \u0648\u0627\u062f\u0641\u0639 \u0645\u0633\u062a\u0648\u062f\u0639\u0627\u064b \u0623\u0648 \u0639\u062f\u0651\u0644 \u0627\u0644\u0645\u0639\u0627\u0645\u0644\u0627\u062a \u0648\u0641\u0642\u0627\u064b \u0644\u0630\u0644\u0643. \u0625\u0630\u0627 \u0627\u062d\u062a\u0648\u062a \u0627\u0644\u0635\u0648\u0631\u0629 \u0639\u0644\u0649 \u062b\u063a\u0631\u0627\u062a \u062d\u0631\u062c\u0629\u060c \u0633\u064a\u064f\u0641\u0634\u0644 Grype \u0627\u0644\u062e\u0637\u0648\u0629:<\/p>\n<pre><code>tkn pipelinerun logs -f --last\n# [vulnerability-scan : scan] NAME             INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY\n# [vulnerability-scan : scan] libcrypto3       3.0.12     3.0.13    apk   CVE-2024-0727   Critical\n# [vulnerability-scan : scan] 1 critical vulnerability found\n# [vulnerability-scan : scan] ERROR: failed to pass severity threshold\n#\n# TaskRun failed: step \"scan\" exited with code 1<\/code><\/pre>\n<p>\u064a\u0641\u0634\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d \u0639\u0646\u062f \u062e\u0637\u0648\u0629 \u0627\u0644\u0641\u062d\u0635\u060c \u0645\u0645\u0627 \u064a\u0645\u0646\u0639 \u062a\u0631\u0642\u064a\u0629 \u0635\u0648\u0631\u0629 \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u062b\u063a\u0631\u0627\u062a.<\/p>\n<h3>\u0627\u0644\u0627\u062e\u062a\u0628\u0627\u0631 \u0628\u0635\u0648\u0631\u0629 \u0645\u064f\u062d\u062f\u0651\u062b\u0629<\/h3>\n<p>\u0627\u0644\u0622\u0646 \u0634\u063a\u0651\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639 \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0635\u0648\u0631\u0629 \u0623\u0633\u0627\u0633\u064a\u0629 \u0645\u062d\u062f\u0651\u062b\u0629. \u0639\u0646\u062f\u0645\u0627 \u0644\u0627 \u064a\u062a\u0645 \u0627\u0644\u0639\u062b\u0648\u0631 \u0639\u0644\u0649 \u062b\u063a\u0631\u0627\u062a \u062d\u0631\u062c\u0629\u060c \u064a\u0646\u062c\u062d \u0627\u0644\u0641\u062d\u0635:<\/p>\n<pre><code>tkn pipelinerun logs -f --last\n# [vulnerability-scan : scan] No critical vulnerabilities found\n# PipelineRun completed successfully<\/code><\/pre>\n<p>\u062a\u062f\u0641\u0642 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0627\u0644\u0622\u0646 \u0647\u0648: <strong>git-clone \u2190 build-push \u2190 vulnerability-scan<\/strong>. \u0641\u0642\u0637 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u062a\u064a \u062a\u062c\u062a\u0627\u0632 \u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u064a\u062a\u0645 \u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u0628\u0648\u0627\u0633\u0637\u0629 Tekton Chains\u060c \u0644\u0623\u0646 Chains \u064a\u0639\u0627\u0644\u062c \u0641\u0642\u0637 \u0639\u0645\u0644\u064a\u0627\u062a TaskRun <em>\u0627\u0644\u0646\u0627\u062c\u062d\u0629<\/em>.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Fulcio (\u0645\u062a\u0642\u062f\u0645)<\/h2>\n<p>\u062a\u064f\u062f\u062e\u0644 \u0625\u062f\u0627\u0631\u0629 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631 \u062a\u0639\u0642\u064a\u062f\u0627\u064b \u062a\u0634\u063a\u064a\u0644\u064a\u0627\u064b \u0648\u0645\u062e\u0627\u0637\u0631 \u0623\u0645\u0646\u064a\u0629. \u064a\u0648\u0641\u0631 <strong>Fulcio<\/strong> \u0645\u0646 Sigstore \u062a\u0648\u0642\u064a\u0639\u0627\u064b \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0639\u0646 \u0637\u0631\u064a\u0642 \u0625\u0635\u062f\u0627\u0631 \u0634\u0647\u0627\u062f\u0627\u062a \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u0647\u0648\u064a\u0629 OIDC. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u062a\u0643\u0648\u064a\u0646 Tekton Chains \u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d.<\/p>\n<h3>\u062a\u062d\u062f\u064a\u062b \u062a\u0643\u0648\u064a\u0646 Chains<\/h3>\n<p>\u0639\u062f\u0651\u0644 \u062a\u0643\u0648\u064a\u0646 Chains \u0644\u062a\u0645\u0643\u064a\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d:<\/p>\n<pre><code>kubectl patch configmap chains-config -n tekton-chains -p='{\"data\":{\n  \"signers.x509.fulcio.enabled\": \"true\",\n  \"signers.x509.fulcio.address\": \"https:\/\/fulcio.sigstore.dev\",\n  \"transparency.enabled\": \"true\",\n  \"transparency.url\": \"https:\/\/rekor.sigstore.dev\"\n}}'<\/code><\/pre>\n<p>\u062a\u062d\u062a\u0627\u062c \u0623\u064a\u0636\u0627\u064b \u0625\u0644\u0649 \u062d\u0630\u0641 \u0623\u0648 \u0625\u0639\u0627\u062f\u0629 \u062a\u0633\u0645\u064a\u0629 \u0627\u0644\u0633\u0631 <code>signing-secrets<\/code> \u0627\u0644\u062d\u0627\u0644\u064a \u062d\u062a\u0649 \u064a\u0639\u0648\u062f Chains \u0625\u0644\u0649 \u0648\u0636\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d:<\/p>\n<pre><code>kubectl delete secret signing-secrets -n tekton-chains<\/code><\/pre>\n<p>\u0623\u0639\u062f \u062a\u0634\u063a\u064a\u0644 \u0648\u062d\u062f\u0629 \u062a\u062d\u0643\u0645 Chains:<\/p>\n<pre><code>kubectl rollout restart deployment tekton-chains-controller -n tekton-chains<\/code><\/pre>\n<h3>\u062a\u0643\u0648\u064a\u0646 OIDC \u0644\u0640 Chains<\/h3>\n<p>\u064a\u062d\u062a\u0627\u062c Chains \u0625\u0644\u0649 \u0631\u0645\u0632 OIDC \u0644\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0645\u0639 Fulcio. \u0639\u0644\u0649 \u062e\u062f\u0645\u0629 Kubernetes \u0645\u064f\u062f\u0627\u0631\u0629 (GKE\u060c EKS\u060c AKS)\u060c \u064a\u0645\u0643\u0646\u0643 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0647\u0648\u064a\u0629 \u0639\u0628\u0621 \u0627\u0644\u0639\u0645\u0644. \u0644\u0645\u062c\u0645\u0648\u0639\u0629 kind \u0645\u062d\u0644\u064a\u0629\u060c \u064a\u0645\u0643\u0646\u0643 \u062a\u0643\u0648\u064a\u0646 Spiffe\/SPIRE \u0623\u0648 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u0648\u0641\u0631 OIDC \u0645\u062d\u064a\u0637. \u062a\u0648\u0641\u0631 \u0648\u062b\u0627\u0626\u0642 Tekton Chains \u062a\u0639\u0644\u064a\u0645\u0627\u062a \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0644\u0643\u0644 \u0628\u064a\u0626\u0629.<\/p>\n<p>\u0644\u0625\u0639\u062f\u0627\u062f \u0625\u0646\u062a\u0627\u062c\u064a \u0639\u0644\u0649 GKE\u060c \u064a\u062a\u0645 \u0631\u0628\u0637 \u062d\u0633\u0627\u0628 \u0627\u0644\u062e\u062f\u0645\u0629 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b:<\/p>\n<pre><code># Example: GKE workload identity binding\ngcloud iam service-accounts add-iam-policy-binding \\\n  tekton-chains-sa@your-project.iam.gserviceaccount.com \\\n  --role roles\/iam.workloadIdentityUser \\\n  --member \"serviceAccount:your-project.svc.id.goog[tekton-chains\/tekton-chains-controller]\"<\/code><\/pre>\n<h3>\u062a\u0634\u063a\u064a\u0644 \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0645\u0639 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d<\/h3>\n<p>\u0623\u0637\u0644\u0642 PipelineRun \u062c\u062f\u064a\u062f\u0627\u064b:<\/p>\n<pre><code>kubectl create -f pipelinerun.yaml<\/code><\/pre>\n<p>\u0628\u0639\u062f \u0627\u0644\u0627\u0643\u062a\u0645\u0627\u0644\u060c \u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0639\u0646 \u0637\u0631\u064a\u0642 \u062a\u062d\u062f\u064a\u062f \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0645\u062a\u0648\u0642\u0639\u0629 \u0648\u0645\u064f\u0635\u062f\u0631 OIDC:<\/p>\n<pre><code>cosign verify \\\n  --certificate-identity \"https:\/\/kubernetes.io\/namespaces\/tekton-chains\/serviceaccounts\/tekton-chains-controller\" \\\n  --certificate-oidc-issuer \"https:\/\/your-oidc-issuer\" \\\n  ghcr.io\/your-username\/tekton-lab:v2<\/code><\/pre>\n<p>\u064a\u0639\u062a\u0645\u062f \u0627\u0644\u062a\u062d\u0642\u0642 \u0627\u0644\u0622\u0646 \u0639\u0644\u0649 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0646 Fulcio \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u0632\u0648\u062c \u0645\u0641\u0627\u062a\u064a\u062d \u062b\u0627\u0628\u062a. \u064a\u064f\u0644\u063a\u064a \u0647\u0630\u0627 \u0627\u0644\u0646\u0647\u062c \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0628\u0627\u0644\u0643\u0627\u0645\u0644: \u062a\u062d\u0635\u0644 \u0643\u0644 \u0639\u0645\u0644\u064a\u0629 \u062a\u0648\u0642\u064a\u0639 \u0639\u0644\u0649 \u0634\u0647\u0627\u062f\u0629 \u062c\u062f\u064a\u062f\u0629 \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631\u060c \u0648\u064a\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u062d\u062f\u062b \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0641\u064a \u0633\u062c\u0644 \u0634\u0641\u0627\u0641\u064a\u0629 Rekor \u0644\u0623\u063a\u0631\u0627\u0636 \u0627\u0644\u062a\u062f\u0642\u064a\u0642.<\/p>\n<h2>\u0627\u0644\u062a\u0645\u0631\u064a\u0646 7: \u0641\u0631\u0636 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0639\u0646\u062f \u0627\u0644\u0646\u0634\u0631<\/h2>\n<p>\u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631 \u064a\u0643\u0648\u0646 \u0645\u0641\u064a\u062f\u0627\u064b \u0641\u0642\u0637 \u0625\u0630\u0627 <em>\u0641\u0631\u0636\u062a<\/em> \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0639\u0646\u062f \u0648\u0642\u062a \u0627\u0644\u0646\u0634\u0631. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u0633\u062a\u0646\u0634\u0631 Sigstore policy-controller \u0644\u0631\u0641\u0636 \u0623\u064a \u0635\u0648\u0631\u0629 \u062d\u0627\u0648\u064a\u0629 \u062a\u0641\u062a\u0642\u0631 \u0625\u0644\u0649 \u062a\u0648\u0642\u064a\u0639 Tekton Chains \u0635\u0627\u0644\u062d.<\/p>\n<h3>\u062a\u062b\u0628\u064a\u062a Sigstore Policy Controller<\/h3>\n<pre><code>helm repo add sigstore https:\/\/sigstore.github.io\/helm-charts\nhelm repo update\n\nhelm install policy-controller sigstore\/policy-controller \\\n  --namespace cosign-system \\\n  --create-namespace \\\n  --set webhook.configMapName=policy-controller-config<\/code><\/pre>\n<p>\u0627\u0646\u062a\u0638\u0631 \u062d\u062a\u0649 \u064a\u0635\u0628\u062d policy controller \u062c\u0627\u0647\u0632\u0627\u064b:<\/p>\n<pre><code>kubectl get pods -n cosign-system --watch<\/code><\/pre>\n<h3>\u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u0635\u0648\u0631<\/h3>\n<p>\u0623\u0646\u0634\u0626 <code>ClusterImagePolicy<\/code> \u062a\u062a\u0637\u0644\u0628 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631 \u0628\u0645\u0641\u062a\u0627\u062d Tekton Chains \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u0627\u062d\u0641\u0638 \u0647\u0630\u0627 \u0628\u0627\u0633\u0645 <code>image-policy.yaml<\/code>:<\/p>\n<pre><code>apiVersion: policy.sigstore.dev\/v1beta1\nkind: ClusterImagePolicy\nmetadata:\n  name: tekton-chains-signed\nspec:\n  images:\n    - glob: \"ghcr.io\/your-username\/**\"\n  authorities:\n    - key:\n        data: |\n          -----BEGIN PUBLIC KEY-----\n          YOUR_COSIGN_PUBLIC_KEY_HERE\n          -----END PUBLIC KEY-----\n      attestations:\n        - name: must-have-slsa-provenance\n          predicateType: \"https:\/\/slsa.dev\/provenance\/v0.2\"\n          policy:\n            type: cue\n            data: |\n              predicateType: \"https:\/\/slsa.dev\/provenance\/v0.2\"<\/code><\/pre>\n<p>\u0627\u0633\u062a\u0628\u062f\u0644 \u0627\u0644\u0645\u0641\u062a\u0627\u062d \u0627\u0644\u0639\u0627\u0645 \u0628\u0645\u0641\u062a\u0627\u062d Cosign \u0627\u0644\u0639\u0627\u0645 \u0627\u0644\u0630\u064a \u0623\u0646\u0634\u0623\u062a\u0647 \u0633\u0627\u0628\u0642\u0627\u064b:<\/p>\n<pre><code># Extract the public key\nkubectl get secret signing-secrets -n tekton-chains -o jsonpath='{.data.cosign\\.pub}' | base64 -d<\/code><\/pre>\n<p>\u0637\u0628\u0651\u0642 \u0627\u0644\u0633\u064a\u0627\u0633\u0629:<\/p>\n<pre><code>kubectl apply -f image-policy.yaml<\/code><\/pre>\n<h3>\u0641\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0629 \u0639\u0644\u0649 \u0645\u0633\u0627\u062d\u0629 \u0623\u0633\u0645\u0627\u0621<\/h3>\n<p>\u0636\u0639 \u062a\u0633\u0645\u064a\u0629 \u0639\u0644\u0649 \u0645\u0633\u0627\u062d\u0629 \u0623\u0633\u0645\u0627\u0621 \u0644\u062a\u0645\u0643\u064a\u0646 \u0641\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0629:<\/p>\n<pre><code>kubectl create namespace secure-apps\nkubectl label namespace secure-apps policy.sigstore.dev\/include=true<\/code><\/pre>\n<h3>\u0627\u062e\u062a\u0628\u0627\u0631: \u0646\u0634\u0631 \u0635\u0648\u0631\u0629 \u0645\u0648\u0642\u0651\u0639\u0629<\/h3>\n<p>\u0627\u0646\u0634\u0631 \u0627\u0644\u0635\u0648\u0631\u0629 \u0627\u0644\u062a\u064a \u062a\u0645 \u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u0628\u0648\u0627\u0633\u0637\u0629 Tekton Chains:<\/p>\n<pre><code>kubectl run signed-app \\\n  --image=ghcr.io\/your-username\/tekton-lab:v1 \\\n  --namespace=secure-apps\n# pod\/signed-app created<\/code><\/pre>\n<p>\u064a\u0646\u062c\u062d \u0627\u0644\u0646\u0634\u0631 \u0644\u0623\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u062a\u0648\u0642\u064a\u0639 \u0635\u0627\u0644\u062d \u0648\u0634\u0647\u0627\u062f\u0629 \u0645\u0635\u062f\u0631.<\/p>\n<h3>\u0627\u062e\u062a\u0628\u0627\u0631: \u0646\u0634\u0631 \u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0645\u0648\u0642\u0651\u0639\u0629<\/h3>\n<p>\u0627\u0644\u0622\u0646 \u062d\u0627\u0648\u0644 \u0646\u0634\u0631 \u0635\u0648\u0631\u0629 \u0644\u0645 \u064a\u062a\u0645 \u062a\u0648\u0642\u064a\u0639\u0647\u0627:<\/p>\n<pre><code>kubectl run unsigned-app \\\n  --image=ghcr.io\/your-username\/unsigned-image:latest \\\n  --namespace=secure-apps\n# Error from server (BadRequest): admission webhook \"policy.sigstore.dev\" denied the request:\n# validation failed: failed policy: tekton-chains-signed:\n# spec.containers[0].image ghcr.io\/your-username\/unsigned-image:latest\n# signature key validation failed for authority<\/code><\/pre>\n<p>\u064a\u0631\u0641\u0636 webhook \u0627\u0644\u0642\u0628\u0648\u0644 \u0627\u0644\u0635\u0648\u0631\u0629 \u063a\u064a\u0631 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d. \u0647\u0630\u0627 \u064a\u064f\u063a\u0644\u0642 \u0627\u0644\u062d\u0644\u0642\u0629: \u064a\u062a\u0645 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0635\u0648\u0631 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0628\u0646\u0627\u0621\u060c \u0648\u0644\u0627 \u064a\u0645\u0643\u0646 \u0646\u0634\u0631 \u0633\u0648\u0649 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629.<\/p>\n<h2>\u0627\u0644\u062a\u0646\u0638\u064a\u0641<\/h2>\n<p>\u0639\u0646\u062f \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0621 \u0645\u0646 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0646\u0638\u0651\u0641 \u0627\u0644\u0645\u0648\u0627\u0631\u062f:<\/p>\n<pre><code># Delete Tekton Chains\nkubectl delete -f https:\/\/storage.googleapis.com\/tekton-releases\/chains\/latest\/release.yaml\n\n# Delete Tekton Pipelines\nkubectl delete -f https:\/\/storage.googleapis.com\/tekton-releases\/pipeline\/latest\/release.yaml\n\n# Delete the policy controller\nhelm uninstall policy-controller -n cosign-system\nkubectl delete namespace cosign-system\n\n# Delete the kind cluster\nkind delete cluster --name tekton-lab<\/code><\/pre>\n<h2>\u0627\u0644\u0646\u0642\u0627\u0637 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h2>\n<ul>\n<li><strong>\u064a\u0648\u0641\u0631 Tekton Chains \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0628\u062f\u0648\u0646 \u062a\u0643\u0648\u064a\u0646 \u0625\u0636\u0627\u0641\u064a.<\/strong> \u0628\u0645\u062c\u0631\u062f \u062a\u062b\u0628\u064a\u062a\u0647 \u0648\u062a\u0643\u0648\u064a\u0646\u0647\u060c \u064a\u0648\u0642\u0651\u0639 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0643\u0644 \u0646\u062a\u064a\u062c\u0629 TaskRun \u0648\u064a\u064f\u0646\u0634\u0626 \u0634\u0647\u0627\u062f\u0629 \u0645\u0635\u062f\u0631 SLSA \u2014 \u062f\u0648\u0646 \u0627\u0644\u062d\u0627\u062c\u0629 \u0625\u0644\u0649 \u062a\u0639\u062f\u064a\u0644\u0627\u062a \u0641\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628.<\/li>\n<li><strong>\u062a\u0631\u0628\u0637 \u0634\u0647\u0627\u062f\u0629 \u0645\u0635\u062f\u0631 SLSA \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0628\u0639\u0645\u0644\u064a\u0629 \u0628\u0646\u0627\u0626\u0647\u0627.<\/strong> \u062a\u064f\u0633\u062c\u0644 \u0634\u0647\u0627\u062f\u0629 in-toto \u0628\u0627\u0644\u0636\u0628\u0637 \u0623\u064a \u0645\u0635\u062f\u0631 \u0648\u062e\u0637\u0648\u0627\u062a \u0648\u0623\u062f\u0648\u0627\u062a \u0623\u0646\u062a\u062c\u062a \u0627\u0644\u0639\u0646\u0635\u0631\u060c \u0645\u0645\u0627 \u064a\u064f\u0646\u0634\u0626 \u0633\u0644\u0633\u0644\u0629 \u062d\u0641\u0638 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062f\u0642\u064a\u0642.<\/li>\n<li><strong>\u0627\u0644\u062a\u062d\u0642\u0642 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Cosign \u0628\u0633\u064a\u0637 \u0648\u0645\u0628\u0627\u0634\u0631.<\/strong> \u0623\u0645\u0631 \u0648\u0627\u062d\u062f \u064a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0623\u0646 \u0627\u0644\u0635\u0648\u0631\u0629 \u062a\u0645 \u062a\u0648\u0642\u064a\u0639\u0647\u0627 \u0628\u0648\u0627\u0633\u0637\u0629 \u0646\u0633\u062e\u0629 Tekton Chains \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u0648\u0644\u0645 \u064a\u062a\u0645 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0628\u0647\u0627 \u0645\u0646\u0630 \u0630\u0644\u0643 \u0627\u0644\u062d\u064a\u0646.<\/li>\n<li><strong>\u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0628\u062f\u0648\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u064a\u064f\u0644\u063a\u064a \u0625\u062f\u0627\u0631\u0629 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d.<\/strong> \u0645\u0646 \u062e\u0644\u0627\u0644 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0645\u0639 Fulcio \u0648 Rekor\u060c \u064a\u0645\u0643\u0646\u0643 \u062a\u0648\u0642\u064a\u0639 \u0627\u0644\u0639\u0646\u0627\u0635\u0631 \u0628\u0634\u0647\u0627\u062f\u0627\u062a \u0642\u0635\u064a\u0631\u0629 \u0627\u0644\u0639\u0645\u0631 \u0645\u0631\u062a\u0628\u0637\u0629 \u0628\u0647\u0648\u064a\u0629 \u0639\u0628\u0621 \u0627\u0644\u0639\u0645\u0644\u060c \u0645\u0645\u0627 \u064a\u064f\u0632\u064a\u0644 \u0639\u0628\u0621 \u062a\u062f\u0648\u064a\u0631 \u0648\u062a\u0623\u0645\u064a\u0646 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0639\u0645\u0631.<\/li>\n<li><strong>\u0641\u062d\u0635 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0643\u0628\u0648\u0627\u0628\u0629 \u0641\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u064a\u0645\u0646\u0639 \u0639\u0645\u0644\u064a\u0627\u062a \u0627\u0644\u0646\u0634\u0631 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646\u0629.<\/strong> \u0625\u0636\u0627\u0641\u0629 Grype \u0623\u0648 \u0645\u0627\u0633\u062d \u0645\u0634\u0627\u0628\u0647 \u0643\u062e\u0637\u0648\u0629 \u0641\u064a \u062e\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u064a\u0636\u0645\u0646 \u0623\u0646 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u062e\u0627\u0644\u064a\u0629 \u0645\u0646 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u062d\u0631\u062c\u0629 \u0641\u0642\u0637 \u062a\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 \u0627\u0644\u062a\u0648\u0642\u064a\u0639 \u0648\u0627\u0644\u0646\u0634\u0631.<\/li>\n<li><strong>\u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0642\u0628\u0648\u0644 \u064a\u0641\u0631\u0636 \u0627\u0644\u0633\u064a\u0627\u0633\u0629.<\/strong> \u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore policy-controller \u0643\u0640 Kubernetes admission webhook \u064a\u0636\u0645\u0646 \u0623\u0646 \u0627\u0644\u0635\u0648\u0631 \u0627\u0644\u0645\u0648\u0642\u0651\u0639\u0629 \u0648\u0627\u0644\u0645\u064f\u0635\u062f\u0651\u0642\u0629 \u0628\u0634\u0643\u0644 \u0635\u062d\u064a\u062d \u0641\u0642\u0637 \u064a\u0645\u0643\u0646 \u062a\u0634\u063a\u064a\u0644\u0647\u0627 \u0641\u064a \u0645\u062c\u0645\u0648\u0639\u062a\u0643\u060c \u0645\u0645\u0627 \u064a\u064f\u063a\u0644\u0642 \u062d\u0644\u0642\u0629 \u0627\u0644\u0623\u0645\u0627\u0646 \u0645\u0646 \u0627\u0644\u0628\u0646\u0627\u0621 \u0625\u0644\u0649 \u0627\u0644\u0646\u0634\u0631.<\/li>\n<\/ul>\n<h2>\u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0627\u0644\u064a\u0629<\/h2>\n<p>\u0648\u0627\u0635\u0644 \u062a\u0639\u0632\u064a\u0632 \u0645\u0639\u0631\u0641\u062a\u0643 \u0628\u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f \u0645\u0639 \u0647\u0630\u0647 \u0627\u0644\u0623\u062f\u0644\u0629 \u0630\u0627\u062a \u0627\u0644\u0635\u0644\u0629:<\/p>\n<ul>\n<li><a href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/artifact-provenance-attestations-slsa-in-toto\/\">\u0634\u0647\u0627\u062f\u0627\u062a \u0645\u0635\u062f\u0631 \u0627\u0644\u0639\u0646\u0627\u0635\u0631: \u0645\u0646 SLSA \u0625\u0644\u0649 in-toto<\/a> \u2014 \u062a\u0639\u0645\u0642 \u0641\u064a \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 SLSA \u0648\u0645\u0633\u062a\u0648\u064a\u0627\u062a \u0627\u0644\u0645\u0635\u062f\u0631 \u0648\u0645\u0648\u0627\u0635\u0641\u0627\u062a \u0634\u0647\u0627\u062f\u0627\u062a in-toto.<\/li>\n<li><a href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/signing-verifying-container-images-sigstore-cosign\/\">\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Sigstore \u0648 Cosign<\/a> \u2014 \u062f\u0644\u064a\u0644 \u0634\u0627\u0645\u0644 \u062d\u0648\u0644 Cosign \u0648 Fulcio \u0648 Rekor \u0644\u062a\u0648\u0642\u064a\u0639 \u0635\u0648\u0631 \u0627\u0644\u062d\u0627\u0648\u064a\u0627\u062a \u0648\u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646\u0647\u0627.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u0646\u0638\u0631\u0629 \u0639\u0627\u0645\u0629 Tekton \u0647\u0648 \u0625\u0637\u0627\u0631 \u0639\u0645\u0644 \u0645\u0641\u062a\u0648\u062d \u0627\u0644\u0645\u0635\u062f\u0631 \u0642\u0648\u064a \u064a\u0639\u0645\u0644 \u0628\u0634\u0643\u0644 \u0623\u0635\u0644\u064a \u0639\u0644\u0649 Kubernetes \u0644\u0625\u0646\u0634\u0627\u0621 \u0623\u0646\u0638\u0645\u0629 \u0627\u0644\u062a\u0643\u0627\u0645\u0644 \u0627\u0644\u0645\u0633\u062a\u0645\u0631 \u0648\u0627\u0644\u062a\u0633\u0644\u064a\u0645 \u0627\u0644\u0645\u0633\u062a\u0645\u0631 (CI\/CD). \u064a\u0639\u0645\u0644 \u0643\u0645\u062c\u0645\u0648\u0639\u0629 \u0645\u0646 \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0627\u0644\u0645\u0648\u0627\u0631\u062f \u0627\u0644\u0645\u062e\u0635\u0635\u0629 (CRDs) \u0639\u0644\u0649 \u0623\u064a \u0645\u062c\u0645\u0648\u0639\u0629 Kubernetes\u060c \u0645\u0645\u0627 \u064a\u062a\u064a\u062d \u0644\u0643 \u062a\u0639\u0631\u064a\u0641 \u062e\u0637\u0648\u0637 \u0627\u0644\u0623\u0646\u0627\u0628\u064a\u0628 \u0643\u0645\u0644\u0641\u0627\u062a YAML \u062a\u0635\u0631\u064a\u062d\u064a\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0646\u0642\u0644 \u0628\u064a\u0646 \u0627\u0644\u0628\u064a\u0626\u0627\u062a \u0627\u0644\u0645\u062e\u062a\u0644\u0641\u0629. Tekton Chains \u0647\u0648 \u0645\u0634\u0631\u0648\u0639 \u0645\u0631\u0627\u0641\u0642 \u064a\u0636\u064a\u0641 \u0623\u0645\u0627\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u062a\u0648\u0631\u064a\u062f &#8230; <a title=\"\u0645\u062e\u062a\u0628\u0631: \u062a\u0646\u0641\u064a\u0630 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0646\u0627\u0621 \u0622\u0645\u0646 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Tekton \u0648 Tekton Chains\" class=\"read-more\" href=\"https:\/\/secure-pipelines.com\/ar\/ci-cd-security\/lab-secure-build-pipeline-tekton-tekton-chains\/\" aria-label=\"Read more about \u0645\u062e\u062a\u0628\u0631: \u062a\u0646\u0641\u064a\u0630 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 \u0628\u0646\u0627\u0621 \u0622\u0645\u0646 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Tekton \u0648 Tekton Chains\">\u0627\u0642\u0631\u0623 \u0627\u0644\u0645\u0632\u064a\u062f<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,67,27],"tags":[],"post_folder":[],"class_list":["post-824","post","type-post","status-publish","format-standard","hentry","category-ci-cd-security","category-labs","category-software-supply-chain"],"_links":{"self":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/comments?post=824"}],"version-history":[{"count":1,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/824\/revisions"}],"predecessor-version":[{"id":827,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/posts\/824\/revisions\/827"}],"wp:attachment":[{"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/media?parent=824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/categories?post=824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/tags?post=824"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/secure-pipelines.com\/ar\/wp-json\/wp\/v2\/post_folder?post=824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}