_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Supply Chain Security — SLSA, Sigstore, and Software Provenance

11. 07. 2022 Updated: 24. 03. 2026 1 min read CORE SYSTEMSai
This article was published in 2022. Some information may be outdated.
Supply Chain Security — SLSA, Sigstore, and Software Provenance

SolarWinds, Codecov, Log4Shell — supply chain attacks are the new normal. How do you ensure the software you deploy is the software you built?

SLSA Framework

SLSA (Supply-chain Levels for Software Artifacts) — a framework from Google defining levels of build pipeline security:

  • Level 1 — documented build process
  • Level 2 — versioned build service (CI/CD)
  • Level 3 — hardened build platform, provenance

Sigstore for Signing

Cosign (part of Sigstore) signs container images. Every image in our registry is signed, with keyless signing via OIDC. A Kubernetes admission controller verifies the signature before deployment.

SBOM in CI/CD

Syft generates an SBOM with every build. The SBOM is attached to the release artifact. Grype scans the SBOM against CVE databases. Everything automated, no manual steps.

Trust, but Verify — Automatically

Supply chain security must be an automated part of CI/CD. SLSA + Sigstore + SBOM = the foundation for trustworthy software.

slsasigstoresupply chainsbomsecurity
Share:

CORE SYSTEMS

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Contact us
Need help with implementation? Schedule a meeting

Related articles

SBOM and Software Supply Chain Security — Protecting the Supply Chain

Software supply chain security in 2026: SBOM, SLSA framework, dependency management and how to protect against...

SBOM Generation — Software Bill of Materials

What is SBOM, why you need it, and how to generate it.

Supply Chain Security

Software supply chain protection. Signed commits, verified builds, SLSA.

Log4Shell — Lessons from the Worst Vulnerability of the Decade

CVE-2021-44228 and what we learned. SBOM, dependency scanning, incident response, and supply chain security.