Supply Chain Promotion Chain

Problem Statement

It is now critical to manage CSP supply chain. We may notice that there are supply chain compromises announcement every week. With the new European CRA regulation, CSP will become fully accountable of attacks for the software they deployed, that is why we try to put in place a process to better control what we are deploying.

Description

Creation of an OCI promotion chain pipeline, shared with vendors and other CSPs

Orange developed such pipeline (Gitlab-ci pipeline) considering only OCI artifacts because it is a standard and we can associate SBOM, VEX, Signature to the artifacts.

Through this promotion chain, vendor artifacts can be « promoted », it means moved from « unstable » to « stable » Production deployment can be based on "Stable" artifact sonly.

Concretely, if we apply strictly these rules today, we could deploy almost nothing as the supply chain is also very challenging for the vendors (integration of lots Open source components (baseline OS images, libraries, tools,..) + use of old versions).

This project aims to review the promotion pipeline, agree on the tests to be performs (yaml, Helm linting, security scan image efficiency checks, OCI checks, vendor sign check).

Project Details

Leader: Orange (F.Rouzaut, R.Carré, M.Richomme), ZTE?

List of people/organization interested to join:

Presentation: see WG06 January 2026 minutes for details

Hackathon Objectives

• Review the different tests for
• the Helm Charts
• the containers
• Management of Signature, VEX
• Vizualisation, sharing with other CSPs, vendors
• Common Telco bug bounties?