HCP Packer now tracks CI/CD pipeline metadata
You can now see the CI/CD pipeline metadata associated with each image build in HCP Packer.
We are excited to announce the addition of pipeline metadata tracking, now available in HCP Packer. HCP Packer is a powerful tool that provides image lifecycle management at scale across any cloud and on-premises environments. With this addition, users can now track which CI/CD tools were used in the image-building process through integrations with GitHub and GitLab. This enhancement helps lay the foundation for a secure build pipeline and grants HCP Packer level 1 compliance with SLSA (Supply-Chain Levels for Software Artifacts).
»Artifact provenance challenges
As the security demands on the software supply chain grow, organizations recognize the need for provenance of their base images and build artifacts. Artifact provenance includes verifiable information about the creation and configuration of image builds. Without a clear lineage of where, how, and by whom each artifact was built, it can be difficult to verify an artifact's legitimacy and compliance. Organizations must ensure they employ only trusted artifacts, validated at each stage of their lifecycle, to maintain the integrity and security of their software.
»Improving build visibility
HCP Packer now provides the ability to track pipeline metadata in the artifact registry. This includes critical CI/CD information such as pipeline IDs, job names, details on the operating system, VCS commits, and more. For a full list of the details captured, please refer to the build pipeline metadata reference.
This addition grants HCP Packer level 1 SLSA compliance by providing a basic level of source code identification that can help organizations make risk-based security decisions. With this visibility, organizations can shift their security left and address risks earlier in the infrastructure deployment process.
See the Packer CI/CD pipeline metadata for each build directly in HCP Packer.
Pipeline metadata tracking builds on our initiative to enhance metadata visibility within HCP Packer, with recent additions including Packer version and plugin version tracking. It marks another step towards complete artifact provenance to help organizations gain full visibility into their images and keep their build pipelines secure.
»Learn more
To learn more about pipeline metadata in HCP Packer, please refer to the build pipeline metadata documentation and the Automate Packer with GitHub Actions tutorial.
Get started with HCP Packer for free to track and manage artifacts across all your cloud environments.
Sign up for the latest HashiCorp news
More blog posts like this one
New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier
The latest Security Lifecycle Management (SLM) features from HashiCorp Vault, Boundary, and Consul help organizations offer a smoother path to better security practices for developers.
Terraform, Packer, Nomad, and Waypoint updates help scale ILM at HashiConf 2024
New Infrastructure Lifecycle Management (ILM) offerings from HashiCorp Terraform, Packer, Nomad, and Waypoint help organizations manage their infrastructure at scale with reduced complexity.
HCP Packer adds bucket-level RBAC
You can now manage access at the bucket level in HCP Packer.