docs: updated Readme

Signed-off-by: manhtukhang <[email protected]>
manhtukhang · Dec 13, 2024 · 98860ea · 98860ea
1 parent 93ef076
commit 98860ea
Showing 1 changed file with 69 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -15,12 +15,16 @@ This is a [(HashiCorp) Vault secrets plugin](https://developer.hashicorp.com/vau
 
 Using this plugin, you can limit the accidental exposure window of Nexus Repository user's credentials; useful for continuous integration servers.
 
-> [!IMPORTANT]
-> This plugin is in development process, use at your own risk.
 
 ---
 ## INSTALLATION
 
+> [!IMPORTANT]
+> This plugin is designed to be `run on Vault servers` and `could connect to Nexus Repository server(s) with high privileges`.
+> Therefore, DO NOT use this (or any 3rd party plugins) on critical production environment without understanding about the security risks!
+> Please read [SECURITY section](#security) carefully before any uses.
+
+
 ### Using pre-built releases
 
 You can find pre-built releases of the plugin [here](https://github.com/manhtukhang/vault-plugin-secrets-nexus-repository/releases) and download the latest binary file corresponding to your target OS.
@@ -49,7 +53,7 @@ $ vault plugin register \
 ```
 
 > [!CAUTION]
-> This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. Instead you should use the checksum provided as [part of the releases](https://github.com/manhtukhang/vault-plugin-secrets-nexus-repository/releases).
+> This inline checksum calculation above is provided for illustration purpose and does not validate your binary. It should **not** be used for production environment. Instead you should use the checksum provided in the release archive file as [part of the releases](https://github.com/manhtukhang/vault-plugin-secrets-nexus-repository/releases). See [Verify downloaded artifact from GitHub releases](#verify-downloaded-artifact-from-github-releases) section.
 
 You can now enable the Nexus Repository secrets plugin:
 ```sh
@@ -70,7 +74,7 @@ When upgrading, please refer to the [Vault documentation](https://developer.hash
 
 ### Nexus Repository
 
-Create an "admin" user with a role with minimum privileges (refer to [Nexus Repository roles docs](https://help.sonatype.com/en/roles.html)): 
+Create an "admin" user with a role with minimum privileges (refer to [Nexus Repository roles docs](https://help.sonatype.com/en/roles.html)):
 ```
 nx-users-create
 nx-user-delete
@@ -190,7 +194,7 @@ No renewals or new tokens will be issued if the backend configuration (config/ad
 
 * `url` (string) - Address of the Nexus Repository server instance, e.g. https://nexus.myorg.domain
 * `username` (string) - The "admin" username to access Nexus Repository API.
-* `password` (string) - The "admin" password. 
+* `password` (string) - The "admin" password.
 * `insecure` (boolean) - Optional. Bypass certification verification for TLS connection with Nexus Repository API. Default to `false`.
 * `timeout` (time duration) - Optional. Timeout for connection with Nexus Repository API. Default to `30s` (30 seconds).
 
@@ -279,7 +283,7 @@ Get credential (dynamically generate Nexus Repository users) from a specified (V
 #### Examples
 
 ```sh
-vault read nexus/creds/test
+$ vault read nexus/creds/test
 ```
 ```console
 Key                Value
@@ -293,6 +297,65 @@ password           um4q4sqx5lJPpsSo8tklSKj6Ic... (password truncated)
 user_id            v-test-token-1733126698
 ```
 
+---
+## SECURITY
+
+Because of running on and managaging critical systems (Vault, Nexus), we all understand that this plugin can be a vulnerable part due to supply chain integrity weaknesses.
+Therefore, to prove that the released binary has not been tampered with and can be securely traced back to source, the plugin is built and attested to the provenance of its release artifacts in the SLSA standard and provisionally meet Level 3 using [`SLSA` framework](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html)'s generator and Level 2 using [`GitHub's artifact attestation`](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#about-artifact-attestations).
+
+
+### Verify downloaded artifact from GitHub releases
+
+Use either or both methods below
+
+#### Using SLSA verifier
+
+> [!NOTE]
+> `slsa-verifier` is a tool for verifying SLSA provenance that was generated by CI/CD builders. slsa-verifier verifies the provenance by verifying the cryptographic signatures on provenance to make sure it was created by the expected builder. It then verifies that various values such as the builder id, source code repository, ref (branch or tag) matches the expected values.
+
+Follow this [installation instruction](https://github.com/slsa-framework/slsa-verifier#download-the-binary) to install.
+
+Verify (e.g for the `vault-plugin-secrets-nexus-repository_v1.0.0-tb1_linux-amd64.tar.gz`, version `v1.0.0-tb1`, file `vault-plugin-secrets-nexus-repository_v1.0.0-tb1.intoto.jsonl` also has to be downloaded from the release):
+```sh
+$ slsa-verifier verify-artifact \
+  --source-uri manhtukhang/vault-plugin-secrets-nexus-repository \
+  --source-tag v1.0.0-tb1 \
+  --provenance-path ./vault-plugin-secrets-nexus-repository_v1.0.0-tb1.intoto.jsonl \
+  ./vault-plugin-secrets-nexus-repository_v1.0.0-tb1_linux-amd64.tar.gz
+```
+```console
+Verifying vault-plugin-secrets-nexus-repository_v0.0.1-tb1_linux-amd64.tar.gz with slsa-verifier
+Verified signature against tlog entry index 155157774 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677aeda7d7a4c8fb7cdb79ecaab29fe4441d8d5bd887e2e8df15d685c84350e21035
+Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit 067f1fc9064d7d78d673925f78d0f81bb84c6637
+Verifying artifact vault-plugin-secrets-nexus-repository_v0.0.1-tb1_linux-amd64.tar.gz: PASSED
+
+PASSED: SLSA verification passed
+```
+
+#### Using GitHub CLI
+
+Follow this [installation instruction](https://github.com/cli/cli#installation) to install GitHub CLI (`gh` command).
+
+Verify (e.g for the `vault-plugin-secrets-nexus-repository_v0.0.1-tb1_linux-amd64.tar.gz`):
+```sh
+$ gh attestation verify \
+  --repo manhtukhang/vault-plugin-secrets-nexus-repository \
+  ./vault-plugin-secrets-nexus-repository_v0.0.1-tb1_linux-amd64.tar.gz
+```
+```console
+Loaded digest sha256:815378c1be24539758452a232bb10510fb89dc562cbd1c8cd5e5746847670b58 for file://vault-plugin-secrets-nexus-repository_v0.0.1-tb1_linux-amd64.tar.gz
+Loaded 1 attestation from GitHub API
+✓ Verification succeeded!
+
+sha256:815378c1be24539758452a232bb10510fb89dc562cbd1c8cd5e5746847670b58 was attested by:
+REPO                                               PREDICATE_TYPE                  WORKFLOW
+manhtukhang/vault-plugin-secrets-nexus-repository  https://slsa.dev/provenance/v1  .github/workflows/release.yaml@refs/tags/v0.0.1-tb1
+```
+
+> [!NOTE]
+> Artifact attestations can be verified from a machine without the internet connection, please follow [this step-by-step guide](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline).
+
+
 ---
 ## ROADMAP