Supply Chain Security

SolarWinds, Codecov, Log4Shell — supply chain attacks are the new normal. How do you ensure the software you deploy is the software you built?

SLSA Framework¶

SLSA (Supply-chain Levels for Software Artifacts) — a framework from Google defining levels of build pipeline security:

Level 1 — documented build process
Level 2 — versioned build service (CI/CD)
Level 3 — hardened build platform, provenance

Sigstore for Signing¶

Cosign (part of Sigstore) signs container images. Every image in our registry is signed, with keyless signing via OIDC. A Kubernetes admission controller verifies the signature before deployment.

SBOM in CI/CD¶

Syft generates an SBOM with every build. The SBOM is attached to the release artifact. Grype scans the SBOM against CVE databases. Everything automated, no manual steps.

Trust, but Verify — Automatically¶

Supply chain security must be an automated part of CI/CD. SLSA + Sigstore + SBOM = the foundation for trustworthy software.

slsasigstoresupply chainsbomsecurity

CORE SYSTEMS

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Supply Chain Security — SLSA, Sigstore, and Software Provenance

SLSA Framework¶

Sigstore for Signing¶

SBOM in CI/CD¶

Trust, but Verify — Automatically¶

CORE SYSTEMS

Need help with implementation?

Related articles

SBOM and Software Supply Chain Security — Protecting the Supply Chain

SBOM generování — Software Bill of Materials