Software Supply Chain Attribute Integrity (SCAI)

TL;DR

SCAI is a proposed data format designed to capture detailed attribute and integrity information about software artifacts and their supply chains, enhancing transparency and trust in software development processes.

Contribution

The paper introduces SCAI, a new data format for detailed software supply chain attribute and integrity information, compatible with existing attestation frameworks.

Findings

Enables granular capture of software artifact attributes.

Integrates with existing supply chain attestation tools.

Supports various software artifact types.

Abstract

The Software Supply Chain Attribute Integrity, or SCAI (pronounced "sky"), specification proposes a data format for capturing functional attribute and integrity information about software artifacts and their supply chain. SCAI data can be associated with executable binaries, statically- or dynamically-linked libraries, software packages, container images, software toolchains, and compute environments. As such, SCAI is intended to be implemented as part of an existing software supply chain attestation framework by software development tools or services (e.g., builders, CI/CD pipelines, software analysis tools) seeking to capture more granular information about the attributes and behavior of the software artifacts they produce. That is, SCAI assumes that implementers will have appropriate processes and tooling in place for capturing other types of software supply chain metadata, which can be extended to add support for SCAI.