The ever-evolving realm of cloud-native software development and container-based deployment, although offering exceptional efficiency and scalability, presents an array of complex challenges. These prominent challenges encompass supply-chain attacks, vulnerabilities within open-source tools, difficulties in tracking the development lifecycle and pipelines, and intricacies related to managing data provenance. In response to these pressing concerns, this paper introduces "DevSec-GPT," a pioneering solution that harnesses Generative AI, blockchain, NFTs, SBOMs (Software Bill Of Materials), and PBOMs (Pipeline Bill Of Materials) to effectively manage software container vulnerabilities and streamline the intricate intricacies of pipeline and supplychain verification. In the contemporary software development landscape, cloud-native containers, such as Docker and Kubernetes, are the linchpins of the build and deploy process, complemented by CI/CD (Continuous Integration and Continuous Delivery) services such as GitHub Actions. This process entails the creation of pull requests, container generation, test suite execution, verification, approval, merging to the master branch, and eventual deployment. In our innovative system, blockchain smart contracts play a pivotal role in generating vulnerability scans for each pull request through SBOM analysis. Moreover, a custom-trained Llama2 Large Language Model(LLM) from Meta has been integrated to generate PBOMs tailored to each pull request and master builds, thereby preventing supply-chain attacks and data breaches etc. This Llama2-13B LLM has been quantized and fine-tuned using Qlora to ensure optimal performance on consumer-grade hardware. These PBOMs are generated as JSON schemas by the LLM, encapsulating vital details, including pull request information (branch, approver, reviewer, timestamp, etc.), test results, the identified vulnerabilities in the built container, and the status of the pull request and its timestamp. Subsequently, blockchain smart contracts employ these JSON schemas to generate signed NFT tokens, a remarkable method that enables comprehensive tracking of software container states, vulnerabilities, and pipeline details from development to production. We've innovated a tailor-made NFT token schema designed to encapsulate PBOM data within the blockchain. These NFT tokens furnish a resilient mechanism, facilitating retrieval and verification at any point. The end-toend software/pipeline verification data provenance information is handled via ModelCards. The prototype of our proposed system has been constructed atop the Rahasak blockchain, complemented by the GitHub Actions CI/CD platform and Docker containers. The generation of PBOMs functions are handled by custom-trained Llama2-13B LLM. To the best of our knowledge, this is the very first research effort aimed at standardizing PBOM schemas and integrating Language Model algorithms for the generation of PBOMs.
