_CORE
Know-How

Supply Chain Security

7 min čtení
SecuritySupply ChainSLSACI/CD

Supply chain útoky rostou exponenciálně. Kompromitovaná závislost, build pipeline nebo registry = backdoor ve vašem software.

Ochranné vrstvy

  1. Signed commits (GPG, SSH signing)
  2. Lockfile + integrity checks
  3. Dependency pinning (exact versions)
  4. Private registry / proxy
  5. Signed artifacts (Cosign, Sigstore)
  6. SLSA framework compliance

Signed commits

git config --global commit.gpgsign true git config --global gpg.format ssh git config --global user.signingkey ~/.ssh/id_ed25519.pub

SLSA Framework

  • Level 1: Build scripted, provenance generated
  • Level 2: Hosted build, signed provenance
  • Level 3: Hardened build platform
  • Level 4: Two-party review, hermetic builds

Klíčový takeaway

Podepisujte commity a artefakty. Pinujte závislosti. SLSA framework jako roadmap pro supply chain security.

CORE SYSTEMS tým

Praktické know-how z reálných projektů. Bez buzzwordů, s kódem.