Supply Chain Security: Securing Your CI/CD Pipeline from Build to Deploy
The SolarWinds and Log4Shell incidents proved that software supply chain attacks are real and devastating. SLSA (Supply-chain Levels for Software Artifacts) provides a framework for hardening your build pipeline.
SLSA Levels
| Level | Requirements | Protection |
|---|---|---|
| SLSA 1 | Documented build process | Basic provenance |
| SLSA 2 | Hosted build, signed provenance | Tampering after build |
| SLSA 3 | Hardened build platform | Tampering during build |
| SLSA 4 | Two-person review, hermetic builds | Insider threats |
Container Image Signing with Cosign
# Sign image in CI
cosign sign --key cosign.key ghcr.io/org/app:v1.2.3
# Verify in Kubernetes admission controller
cosign verify --key cosign.pub ghcr.io/org/app:v1.2.3
SBOM: Know What You Ship
Generate Software Bill of Materials for every release. Tools like Syft scan your container image and produce a complete dependency list. When the next Log4Shell hits, you know in minutes which services are affected.