Supply chain attacks are growing exponentially. A compromised dependency, build pipeline, or registry means a backdoor in your software.
Protection Layers¶
- Signed commits (GPG, SSH signing)
- Lockfile + integrity checks
- Dependency pinning (exact versions)
- Private registry / proxy
- Signed artifacts (Cosign, Sigstore)
- SLSA framework compliance
Signed Commits¶
git config –global commit.gpgsign true git config –global gpg.format ssh git config –global user.signingkey ~/.ssh/id_ed25519.pub
SLSA Framework¶
- Level 1: Build scripted, provenance generated
- Level 2: Hosted build, signed provenance
- Level 3: Hardened build platform
- Level 4: Two-party review, hermetic builds
Key Takeaway¶
Sign your commits and artifacts. Pin your dependencies. Use the SLSA framework as a roadmap for supply chain security.
securitysupply chainslsaci/cd