Argos provides a framework to protect the integrity of a software supply chain. It provides a REST API implemented as a SAAS and client libraries in order to protect the integrity of artifacts produced by a software supply chain.
It does so by verifying that each step in the chain is carried out as planned, by authorized systems or personnel, and that the product is not tampered with in transit.
It allows a project owner to create a layout. A layout lists the sequence of steps of the software supply chain, and the functionaries authorized to perform these steps.
When a functionary performs a step it gathers information about the used commands and the related files and sends it to the ARGOS service in a link metadata file. As a consequence link files provide the required evidence to establish a continuous chain that can be verified against the steps defined in the layout
The layout, signed by the project owners together with the links, signed by the designated functionaries for a particular supply chain run, can be verified by the service.
In order to allow other parties to easily add in their own storage and api implementations into the service. The architecture is organized around the so called hexagonal architecture pattern.
The hexagonal architecture is based on three principles and techniques:
- Explicitly separate Application, Domain, and Infrastructure
- Dependencies are going from Application and Infrastructure to the Domain
- We isolate the boundaries by using Ports and Adapters
See also these articles for more information about this architectural pattern:
- argos4j
- argos-docker
- argos-domain
- argos-jenkins-base
- argos-jenkins-plugin
- argos-service
- argos-service-adapter-in-rest
- argos-service-adapter-out-mongodb
- argos-service-api
- argos-service-domain
- argos-test
Java client library for creating,signing and sending link files to the Argos service.
Docker compose file and Docker files used for running the Argos service locally and in the drone build pipeline.
Core domain entities shared between the argos4j and the argos service modules.
Jenkins docker base image used in argos-docker
Plugin for jenkins that uses argos4j library to post signed link files with each build step to the argos service.
Spring Boot Java service to expose the REST API
Incoming adapter implementing the open api REST specification. This api is defined in the argos-service-api module. ( See architecture paragraph )
Outgoing adapter using mongo db to implement the repository interfaces defined in the argos-service-domain module. ( See architecture paragraph )
Open api specification for the Argos Service endpoints.
Domain entities and interfaces specifically for the argos service.
Integration test module to run integration tests locally or as step in a drone pipeline.
See ADRs