Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What's Bitbucket's SLSA story?

moritz_matchory_com
moritz_matchory_com
Contributor
September 21, 2024

Quoting from the SLSA specification:

High profile attacks like those against SolarWinds or Codecov have exposed the kind of supply chain integrity weaknesses that may go unnoticed, yet quickly become very public, disruptive, and costly in today’s environment when exploited. They’ve also shown that there are inherent risks not just in code itself, but at multiple points in the complex process of getting that code into software systems—that is, in the software supply chain. Since these attacks are on the rise and show no sign of decreasing, a universal framework for hardening the software supply chain is needed, as affirmed by the U.S. Executive Order on Improving the Nation’s Cybersecurity.

And further:

SLSA is a set of incrementally adoptable guidelines for supply chain security, established by industry consensus. The specification set by SLSA is useful for both software producers and consumers: producers can follow SLSA’s guidelines to make their software supply chain more secure, and consumers can use SLSA to make decisions about whether to trust a software package.

GitHub has added support for non-forgeable build provenance when using GitHub Actions—two years ago. This achieves SLSA level 3 build provenance, which provides strong guarantees that the build has not been tampered with, contains the code it says it does, and generally makes it impractical to compromise the build process. This is a huge step forward!

Considering this, I wanted to know what Atlassian is doing in terms of making Bitbucket Pipelines conform to SLSA. Is anyone working on this yet, and if so, is a release planned yet? I could not find anything online. To the contrary, as the Docker BuildX plugin is disabled and the Docker client version is locked to a version released in April 2023 that doesn't yet have the ability generate attestation data, we cannot even attach attestation to Docker images built within Pipelines.
This makes it pretty much impossible to generate any provenance about build artefacts in Pipelines.

Looking forward to your reply.

Answer
Watch
Like Be the first to like this
379 views

1 answer

1 accepted

1 vote
Answer accepted
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 30, 2024

Hi Moritz,

Thank you for reaching out. This is not something that we are currently working on; I created a request in our public issue tracker here:

You can add your vote to it (by selecting the Vote for this issue link) to express your interest. You are more than welcome to leave feedback there, and you can also add yourself as a watcher (by selecting the Start watching this issue link) if you'd like to be notified via email on updates.

We have a separate feature request for supporting 'docker buildx' in Pipelines builds:

This is something that we are considering. Our policy for implementation of features is here, and any updates will be posted in the respective feature requests.

Kind regards,
Theodora

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.