AAA: AGL Assessment Automation Project
Overview
AGL Assessment Automation (AAA) is an initiative launched as part of the Automotive Grade Linux (AGL) CIAT-EG activities. The goal of AAA is to build a reference system and best practices for applying SBOM (Software Bill of Materials)-driven cybersecurity approaches, developed in the OpenSSF project, to the automotive and embedded industries.
While OpenSSF’s SBOM practices are currently optimized for cloud-based tech industries, direct application to automotive and embedded domains presents unique challenges. AGL leverages the widely adopted Yocto build system and a Jenkins-based CI/CD pipeline, making it possible to develop reusable practices and reference systems tailored to embedded environments.
Key Activities
AAA focuses on the following two pillars:
Establishing SBOM Workflows Utilizing Yocto’s SPDX 3.0 Support
Standardizing workflows for SBOM verification and publication using SPDX 3.0 SBOMs generated by the Yocto build system.
Identifying current challenges in Yocto and contributing improvements upstream.
Automating Workflows through Policy Based Automation (PBA)
Leveraging generated SBOMs and technologies such as Open Policy Agent (OPA) to automate workflows for license compliance and security assurance.
Employing advanced validation and automation techniques, including SHACL/SPARQL, to enhance quality assurance.
Materials
Project Members
Takashi Ninjoji - Project Lead, Honda Motor
Taiki Kawamura - Honda Motor
Masanori Itoh - Toyota Corporation
Hiroyuki Ishii - Panasonic Automotive Systems
Jan-Simon Möller - Linux Foundation
Regular Meetings
English: Every 2 weeks (even) on Wednesday, 13:00 - 14:00 UTC (ICAL)
Japanese: Every 2 weeks (odd) on Wednesday, 17:00 - 18:00 JST (LFX Meetings)