Get SLSA Level 3-Compliant Open Source Software from Tanzu Application Catalog

January 16, 2024 Bala Bharathy U

Tanzu Application Catalog, the enterprise edition of Bitnami Application Catalog, is fully compliant with Supply Chain Levels for Software Artifacts (SLSA) Level 3 security

Tanzu Application Catalog enables enterprises to build their own private catalog of custom-packaged, production-ready open source software (OSS) applications and components. Built by leveraging Bitnami’s expertise in packaging hundreds of open source applications and delivering them to millions of developers, Tanzu Application Catalog addresses the security and compliance needs of enterprises with customized, ready-to-deploy open source applications that include extensive metadata for efficient risk assessment. Tanzu Application Catalog being compliant with SLSA Level 3 means that all the open source software packages delivered by Tanzu Application Catalog meet the SLSA Level 3 standards. 

A critical benefit for enterprises is that they can use Tanzu Application Catalog to bake in their app-specific customizations with a SLSA 3-compliant supply chain. This means that they can get OSS containers and Helm charts that are customized for their requirements, ready to be deployed out of the box along with valid signatures and SBOMs, and built on a SLSA 3 pipeline. 

What is SLSA? 

SLSA is a security framework that provides a set of incrementally adoptable guidelines for software supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers; producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package. 

Apart from providing a common vocabulary to talk about software supply chain security and an actionable checklist to improve your software’s security, SLSA provides a way to measure your efforts toward compliance with forthcoming Executive Order standards in the Secure Software Development Framework (SSDF). 

SLSA is organized into a series of levels that provide increasing supply chain security guarantees, with Level 3 being the highest. 

How Tanzu Application Catalog achieves compliance with SLSA Level 3 

The below table provides a summary of the requirements for various levels of SLSA. 

Here are some key tenets of Tanzu Application Catalog that enable compliance with SLSA Level 3: 

  • A trustworthy build platform – The Tanzu Application Catalog build platform is an evolution of the Bitnami build platform, which has been serving the open source software needs of millions of developers for more than 15 years. As Tanzu Application Catalog is an enterprise-focused offering, its build platform is especially focused on security features like proper access control mechanisms, anti-tampering, auditing, and provenance verification. Additionally, Tanzu Application Catalog’s build platform runs in a dedicated and isolated environment that is locked down against unintended external influence. 

  • Consistent packaging and build processes – Tanzu Application Catalog applications are built and packaged following consistent automated processes, with no manual steps or human intervention required to address vulnerability patches or other updates. Application recipes are managed in a Git repository, requiring signed commits and at least two approvals in any pull request from package maintainers. Using a consistent build process across the whole library of software makes it easier for developers to become familiar with our packages. Once a developer has used one of our packages, the learning curve is flattened for others. Because Tanzu Application Catalog Helm charts and containers are drop-in replacements for the Bitnami apps that developers already know and love, Tanzu Application Catalog makes using enterprise-ready open source software significantly easier and more efficient. 

  • Distribution of authentic, tamper-resistant provenance metadata – All software packages in Tanzu Application Catalog come with comprehensive provenance metadata, which provides detailed information on where, when, and how each component in the package is produced. The provenance metadata is made up of several artifacts, including software bills of materials (SBoMs) in Software Package Data Exchange (SPDX) format, Vulnerability Exploitability eXchange (VEX) documents, as well as a standard, digitally signed, downloadable provenance attestation. Additionally, Tanzu Application Catalog ensures the integrity of the SBOMs and other metadata by digitally signing them using Cosign and Notation

Bitnami has always used good security practices. The team keeps software up to date with the latest upstream Linux distro, packages, and application code on a best-effort basis. But this does not suffice for today’s enterprises. They need thoroughly secure software supply chains and full transparency into what they deploy. That is why we have put in effort to achieve SLSA L3 compliance. Combining Bitnami’s great developer and app-ops experience with capabilities like OS and app-level customization capabilities, SBOMs, and other metadata, Tanzu Application Catalog delivers an unprecedented combination of security and usability. 

Bitnami Application Catalog’s capabilities compared with SLSA requirements 

Millions of developers use the community version of Bitnami-packaged applications today. Bitnami packages are easy to use, well-documented, and packaged with basic security best practices, and they work great. But these community versions do not satisfy enterprises’ secure software supply chain requirements, as they do not come with SBOMs, VEX, or any other provenance metadata, and they offer no choice of base operating system or options for customization.

So, while the community edition is well suited for development and testing environments, you would want to switch over to the enterprise edition—Tanzu Application Catalog—for mission-critical production use cases that need SLSA L3-standard security. 

Fortunately, upgrading from the community version of Bitnami to Tanzu Application Catalog is seamless for developers; they can drop the secure and compliant enterprise versions in place of community versions and keep doing what they do. Meanwhile, platform engineering and security teams find less friction trying to get developers to comply with requirements. 

Learning resources 

If you are looking for detailed information on how Tanzu Application Catalog satisfies each requirement of SLSA Level 3, go through our technical documentation

To learn about all major security measures in Tanzu Application Catalog, download this white paper

For a detailed overview and live demo of Tanzu Application Catalog make sure to join our webinar on January 18

About the Author

Bala Bharathy U

Bala Bharathy U is part of the product marketing team of VMware Tanzu, focusing on VMware Application Catalog and VMware Image Builder. He started his product marketing career in 2020 and has since worked on products across multiple tech domains, including virtualization, security, remote access, and application modernization.

More Content by Bala Bharathy U
Digital Transformation Bottlenecks: Crusties Who Are Reluctant to Change
Digital Transformation Bottlenecks: Crusties Who Are Reluctant to Change

By continually investing in user satisfaction and engagement, technology teams can cultivate a thriving adv...

Azure Spring Apps Enterprise: Unlock Substantial Savings with the New Azure Savings Plan for Compute
Azure Spring Apps Enterprise: Unlock Substantial Savings with the New Azure Savings Plan for Compute

Azure Spring Apps Enterprise is now eligible for the Azure Savings Plan for Compute, giving customers optio...

SpringOne 2024

Learn More