Cloud-native and open-source technologies have expanded the scope of computing and created waves of innovation areas, one of which is the widely used containerization platform, Kubernetes.

But as the cloud-native train chugs along, how are governing bodies, such as the Cloud Native Computing Foundation and Open Source Security Foundation, rising to the accompanying security challenges?

“OpenSSF Scorecard gives you the security scorecard of your GitHub repository,” said Arun Gupta (pictured), vice president and general manager of open ecosystem strategy at Intel Corp. and governing chair of CNCF and OpenSSF. “You can run it as a GitHub action [or] as a [command line interface action], and it’ll give you a score in the range of zero to 10. It goes through multiple elements — do you have branch protection? Are you putting secrets in your repo? Things like that.”

Gupta spoke with theCUBE industry analysts Savannah Peterson and Dustin Kirkland at KubeCon + CloudNativeCon NA, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the security initiatives aimed at securing open-source and cloud-native projects. (* Disclosure below.)

Securing open-source repositories and software supply chains

OpenSSF Scorecard takes a gamified approach to securing GitHub repositories, motivating developers to strive for higher scores. It also feeds actionable insights and areas of improvement to users. Intel itself has already implemented the tool company-wide, according to Gupta.

“The beauty of that is we have done that at Intel as well,” he said. “So for example, we are looking at 6,500 public repos that we have. We are running OpenSSF Scorecard over there. And then in the process of automating that process, [the] execs can start getting reports.”

Another significant project in the OpenSSF arsenal is Sigstore, a managed service for securely creating and attesting software packages. Its framework and tooling allow developers and consumers to securely sign and verify software artifacts, such as release files, container images, binaries and software bills of materials, according to Gupta.

“You create these packages, how do you assign those packages, attestation and all of that?” he said. “That’s [why] we have a managed service called Sigstore.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of KubeCon + CloudNativeCon NA:

(* Disclosure: Intel Corp. sponsored this segment of theCUBE. Neither Intel nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE