ARGO-SLSA: Software Supply Chain Security in Argo Workflows

• URL: http://arxiv.org/abs/2503.20079v2
• Date: Sun, 09 Nov 2025 17:40:03 GMT
• Title: ARGO-SLSA: Software Supply Chain Security in Argo Workflows
• Authors: Mohomed Thariq, Indrajith Ekanayake,
• Abstract summary: Argonatives is an engine for managing software artifacts in an automated fashion.<n>It does not include built-in functionality for frameworks like Supply-chain Levels for Software Artifacts (SLSA)<n>This paper proposes a provenance controller built on top of Argos to enhance artifact security.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Distributed systems widely adopt microservice architecture to handle growing complexity and scale. This approach breaks applications into independent, loosely coupled services. Kubernetes has become the de facto standard for managing microservices, and automating complex, multi-step workflows is a common requirement in Kubernetes. Argo Workflows is a Kubernetes-native engine for managing these workflows in an automated fashion. These workflows generate artifacts such as executables, logs, container images, and packages, which often require proper management through software supply chain security. However, Argo Workflows does not include built-in functionality for frameworks like Supply-chain Levels for Software Artifacts (SLSA), which is essential for ensuring artifact integrity, traceability, and security. This gap compels practitioners to rely on external tools to meet software supply chain security standards. In response, this paper proposes a Kubernetes-native controller built on top of existing open-source Argo Workflows to enhance artifact security. By generating cryptographic signing and provenance attestations, the controller enables Argo Workflows to comply with SLSA standards. We demonstrate that implementations can provide such cryptographic signing and provenance attestations for artifacts produced by the controller, allowing software artifacts built with Argo Workflows to adhere to SLSA requirements. The proposed validation model evaluates the proof of concept of the controller, including its ability to reconcile workflows, detect pods associated with workflow nodes, operate without disrupting existing operations, enforce integrity, and monitor software artifacts.

Related papers

• Learning to Compose for Cross-domain Agentic Workflow Generation [56.630382886594184]
  We create an open-source LLM for cross-domain workflow generation.<n>We learn a compact set of reusable workflow capabilities across diverse domains.<n>Our 1-pass generator surpasses SOTA refinement baselines that consume 20 iterations.
  arXiv  Detail & Related papers  (2026-02-11T18:27:22Z)
• Automation and Reuse Practices in GitHub Actions Workflows: A Practitioner's Perspective [41.512965779724354]
  GitHub supports workflow automation through GitHub Actions.<n>We surveyed 419 practitioners to elucidate good and bad workflow development practices.<n>We observe a tendency to focus automation efforts on core CI/CD tasks, with less emphasis on crucial areas like security analysis and performance monitoring.
  arXiv  Detail & Related papers  (2026-01-16T13:54:54Z)
• ABC-Bench: Benchmarking Agentic Backend Coding in Real-World Development [72.4729759618632]
  We introduce ABC-Bench, a benchmark to evaluate agentic backend coding within a realistic, executable workflow.<n>We curated 224 practical tasks spanning 8 languages and 19 frameworks from open-source repositories.<n>Our evaluation reveals that even state-of-the-art models struggle to deliver reliable performance on these holistic tasks.
  arXiv  Detail & Related papers  (2026-01-16T08:23:52Z)
• Towards Verifiably Safe Tool Use for LLM Agents [53.55621104327779]
  Large language model (LLM)-based AI agents extend capabilities by enabling access to tools such as data sources, APIs, search engines, code sandboxes, and even other agents.<n>LLMs may invoke unintended tool interactions and introduce risks, such as leaking sensitive data or overwriting critical records.<n>Current approaches to mitigate these risks, such as model-based safeguards, enhance agents' reliability but cannot guarantee system safety.
  arXiv  Detail & Related papers  (2026-01-12T21:31:38Z)
• The OpenHands Software Agent SDK: A Composable and Extensible Foundation for Production Agents [46.254487394746725]
  We present the OpenHands Software Agent SDK, a toolkit for implementing software development agents.<n>To achieve flexibility, we design a simple interface for implementing agents that requires only a few lines of code in the default case.<n>For security and reliability, it delivers seamless local-to-remote execution portability, integrated REST/WebSocket services.
  arXiv  Detail & Related papers  (2025-11-05T18:16:44Z)
• Enhancing Software Supply Chain Security Through STRIDE-Based Threat Modelling of CI/CD Pipelines [1.3535770763481907]
  This study applies a structured threat modeling approach to identify and mitigate risks throughout the Continuous Integration/ Continuous Deployment lifecycle.<n>Threats are documented and to comprehensive security controls drawn from standards like NIST SP 800-218, Top 10 CI/CD risks, and the SLSA framework.<n>This approach provides a pragmatic roadmap for enhancing CI/CD pipeline security against evolving software supply chain threats.
  arXiv  Detail & Related papers  (2025-06-06T19:06:59Z)
• Workflow for Safe-AI [0.0]
  Development and deployment of safe and dependable AI models is crucial in applications where functional safety is a key concern.<n>This work proposes a transparent, complete, yet flexible and lightweight workflow that highlights both reliability and qualifiability.
  arXiv  Detail & Related papers  (2025-03-18T07:45:18Z)
• From Waterfallish Aerospace Certification onto Agile Certifiable Iterations [0.0]
  We present a strategy and tools that support the generation of continuous documentation complying with DO-178C requirements.<n>By iteratively creating the DO-178C documentation associated with each software component, we open the way to truly continuous certifiable iterations.
  arXiv  Detail & Related papers  (2025-03-06T09:49:57Z)
• WorkflowLLM: Enhancing Workflow Orchestration Capability of Large Language Models [105.46456444315693]
  We presentLLM, a data-centric framework to enhance the capability of large language models in workflow orchestration. It first constructs a large-scale fine-tuningBench with 106,763 samples, covering 1,503 APIs from 83 applications across 28 categories. LlamaLlama demonstrates a strong capacity to orchestrate complex APIs, while also achieving notable generalization performance.
  arXiv  Detail & Related papers  (2024-11-08T09:58:02Z)
• Benchmarking Agentic Workflow Generation [80.74757493266057]
  We introduce WorfBench, a unified workflow generation benchmark with multi-faceted scenarios and intricate graph workflow structures. We also present WorfEval, a systemic evaluation protocol utilizing subsequence and subgraph matching algorithms. We observe that the generated can enhance downstream tasks, enabling them to achieve superior performance with less time during inference.
  arXiv  Detail & Related papers  (2024-10-10T12:41:19Z)
• The Hidden Costs of Automation: An Empirical Study on GitHub Actions Workflow Maintenance [45.53834452021771]
  GitHub Actions (GA) is an orchestration platform that streamlines the automatic execution of engineering tasks. Human intervention is necessary to correct defects, update dependencies, or existing workflow files.
  arXiv  Detail & Related papers  (2024-09-04T01:33:16Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• A General Framework for Verification and Control of Dynamical Models via Certificate Synthesis [54.959571890098786]
  We provide a framework to encode system specifications and define corresponding certificates. We present an automated approach to formally synthesise controllers and certificates. Our approach contributes to the broad field of safe learning for control, exploiting the flexibility of neural networks.
  arXiv  Detail & Related papers  (2023-09-12T09:37:26Z)
• SecFlow: Adaptive Security-Aware Workflow Management System in Multi-Cloud Environments [2.12121796606941]
  We propose an architecture for a security-aware workflow management system (WfMS) SecFlow integrates key functional components such as secure model construction, security-aware service selection, security violation detection, and adaptive response mechanisms.
  arXiv  Detail & Related papers  (2023-07-11T09:27:07Z)
• Analyzing Maintenance Activities of Software Libraries [65.268245109828]
  Industrial applications heavily integrate open-source software libraries nowadays. I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
  arXiv  Detail & Related papers  (2023-06-09T16:51:25Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.