Skip to main content

Module 11: Cloud Native Supply Chain Security

Sigstore, SLSA, SBOM, image signing, and provenance verification

3 hours. 2 hands-on labs. Free course module.

Learning Objectives

  • Understand supply chain attack vectors
  • Sign container images with Cosign
  • Verify image provenance with SLSA
  • Generate and analyze SBOMs for vulnerability tracking

Why This Matters

Supply chain attacks (SolarWinds, Log4j, codecov) are among the most devastating security incidents. They bypass all runtime security because the malicious code IS the application. Supply chain security ensures you only deploy what you built, from the source you trust.

SECURE SOFTWARE SUPPLY CHAINSource CodeBuild (CI)SLSA provenanceSign (Cosign)Keyless via OIDCRegistrySigned + SBOMDeployVerify sigSupply Chain Attack VectorsCompromised dependencyTampered build pipelineMalicious base imageRegistry poisoningEvery step from source to deployment is a potential attack point
Architecture diagram for Module 11: Cloud Native Supply Chain Security.

Lesson Content

You write secure code and deploy to a hardened cluster. But where did the container image come from? Was it built from the source you think? Were any dependencies compromised? Supply chain attacks target the path between source code and running container.

Sigstore: Sign Everything

Sigstore provides keyless signing via OIDC identity. Cosign signs container images. Rekor provides a transparency log of all signatures. Fulcio issues short-lived signing certificates tied to OIDC identity.

# Sign a container image (keyless — uses your OIDC identity)
cosign sign ghcr.io/myorg/myapp:v1.2.3

# Verify the signature before deploying
cosign verify ghcr.io/myorg/myapp:v1.2.3

# In CI/CD: sign after build, verify before deploy
# No keys to manage! Identity-based signing via GitHub Actions OIDC

SLSA: Build Provenance

SLSA (Supply-chain Levels for Software Artifacts) provides a framework for build integrity. It answers: WHERE was this artifact built? HOW was it built? CAN the build process be tampered with?

SBOM: Know What You Ship

A Software Bill of Materials lists every component in your container image. When a CVE is announced, you can instantly check which images are affected — instead of scanning everything.

# Generate SBOM with Syft
syft ghcr.io/myorg/myapp:v1.2.3 -o spdx-json > sbom.json

# Scan SBOM for vulnerabilities with Grype
grype sbom:sbom.json

Real-World Use Cases

  • Image signing in CI/CD pipelines
  • SBOM generation for vulnerability tracking
  • Admission control rejecting unsigned images
  • Compliance with US Executive Order 14028 (software supply chain security)

Common Mistakes

  • Not verifying image signatures before deployment
  • Using base images from untrusted registries
  • Not generating SBOMs — unable to assess CVE impact
  • Building images on developer machines instead of isolated CI runners

Production Story

When Log4Shell hit, teams without SBOMs spent days scanning every container image to find affected versions. Teams with SBOMs queried their inventory in minutes and patched within hours. The difference: days of uncertainty vs hours of response.

Career Relevance

Supply chain security is driven by regulatory pressure (US EO 14028, EU CRA). Engineers who understand Sigstore, SLSA, and SBOMs are ahead of regulatory requirements.

Key Terms

Sigstore
Open-source project for signing, verifying, and protecting software
Cosign
Container image signing and verification tool
SLSA
Supply-chain Levels for Software Artifacts — build provenance framework
SBOM
Software Bill of Materials — inventory of components in an artifact
Rekor
Immutable transparency log for signing events

Hands-On Labs

  1. Sign and Verify Container Images

    Use Cosign for keyless image signing.

    30 min - Intermediate

    • Build a container image
    • Sign it with cosign sign (keyless)
    • Verify the signature with cosign verify
    • Configure admission controller to reject unsigned images

    View lab files on GitHub

  2. Generate and Analyze SBOMs

    Create SBOMs and scan for vulnerabilities.

    25 min - Beginner

    • Generate SBOM with Syft for a production image
    • Scan the SBOM with Grype for known CVEs
    • Attach the SBOM to the image with cosign attach
    • Set up automated SBOM scanning in CI

    View lab files on GitHub

Key Takeaways

  • Supply chain attacks target the build and distribution pipeline, not the running application
  • Cosign provides keyless image signing via OIDC — no keys to manage
  • SLSA framework ensures build provenance and integrity
  • SBOMs enable instant CVE impact analysis across all your images
  • Sign in CI, verify at admission — block unsigned images from deploying