Back to Blog

Software Supply Chain Security: SBOM, SLSA, Sigstore (2025)

Oct 26, 2025
supply-chainsbomslsasigstore
0

Modern software depends on a complex supply chain. Secure it with transparency, provenance, and verification.

SBOM

  • Generate in CI (CycloneDX/SPDX); include licenses; publish with artifacts

Provenance (SLSA)

  • Attest who built what, when, and how; aim for SLSA Level 3+ over time

Signing/verification

  • Cosign for container/image signing; policy to verify before deploy
cosign sign --key cosign.key image:tag
cosign verify image:tag

Dependency risk

  • Pin versions; minimal allowlists; renovate/bot PRs; vuln scanning (SCA)

CI hardening

  • Isolated runners; OIDC to cloud; least-privilege; no long-lived secrets

Deployment gates

  • Require verified signatures and valid SBOM before rollout

FAQ

Q: Is SBOM enough?
A: No—use provenance and signature verification to ensure integrity, plus runtime controls.

Related posts