Google has partnered with GitHub for a solution that should help prevent software supply chain attacks such as those that affected SolarWinds and Codecov.

Google’s open source security team explained that during the SolarWinds attack, hackers took control of a build server and injected malicious artifacts into a build platform. During the Codecov attack, threat actors bypassed trust builders to upload their artifacts.

“Each of these attacks could have been prevented if there was a way to detect that the delivered artifacts diverged from the expected origin of the software,” Google explained. “But until now, it was difficult to generate verifiable information that described where, when, and how software artifacts were produced (information known as provenance). This information allows users to verifiably trace artifacts back to source and develop risk-based policies around what they consume.

Google and GitHub now offer a new method to generate what they describe as “unforgeable provenance”. The method leverages GitHub Actions workflows for isolation and Sigstore signing tools for authenticity.

The goal is to help projects relying on GitHub runners achieve a high SLSA level, which reassures consumers about the reliability and authenticity of their artifacts.

SLSA (Supply-chain Levels for Software Artifacts) is a framework designed to improve project integrity by allowing users to trace software from final release to source code. In this case, the goal is to achieve SLSA level 3 out of a total of four levels.

Google published a blog post on Thursday describing “build provenance,” which focuses on the entity performing the publishing process and whether the build artifact was protected from malicious modification. The internet giant will soon be sharing another blog post focusing on “source provenance”, which explains how the source code has been protected. GitHub published its own blog post on Thursday.

For construction provenance, the companies created two prototype tools: one to generate a non-falsifiable construction provenance and one to verify the artifact and its signed provenance. Currently, only applications created using the Go programming language are supported, but the project will also be extended to others.

A step-by-step description of the process has also been provided.

“Using the SLSA framework is a proven way to ensure software supply chain integrity at scale,” Google said. “This prototype shows that achieving high levels of SLSA is easier than ever with the latest features in popular CI/CD systems and open source tools. Increased adoption of tamper-proof build services (SLSA 3+) will contribute to a stronger open source ecosystem and help fill an easily exploitable gap in today’s supply chain.

The first version of the project is expected in a few weeks. In the meantime, interested parties are encouraged to test and provide feedback.

Related: ‘Sprawl Secrets’ Haunts Software Supply Chain Security

Related: Legit Security Raises $30M to Tackle Supply Chain Security

Related: OpenSSF Alpha-Omega Project Tackles Supply Chain Security

Edouard Kovacs (@EduardKovacs) is a SecurityWeek Contributing Editor. He worked as a high school computer teacher for two years before starting a career in journalism as a security reporter for Softpedia. Eduard holds a bachelor’s degree in industrial computing and a master’s degree in computer techniques applied to electrical engineering.

Previous columns by Eduard Kovacs:

Key words: