Module 11 of 16

Cloud Native Supply Chain Security

Sigstore, SLSA, SBOM, image signing, and provenance verification

3 hours2 labsFree

Watch as Slides Course overview Lab code

Start here

Learning objectives

Understand supply chain attack vectors
Sign container images with Cosign
Verify image provenance with SLSA
Generate and analyze SBOMs for vulnerability tracking

You write secure code and deploy to a hardened cluster. But where did the container image come from? Was it built from the source you think? Were any dependencies compromised? Supply chain attacks target the path between source code and running container.

Sigstore: Sign Everything

Sigstore provides keyless signing via OIDC identity. Cosign signs container images. Rekor provides a transparency log of all signatures. Fulcio issues short-lived signing certificates tied to OIDC identity.

# Sign a container image (keyless — uses your OIDC identity)
cosign sign ghcr.io/myorg/myapp:v1.2.3

# Verify the signature before deploying
cosign verify ghcr.io/myorg/myapp:v1.2.3

# In CI/CD: sign after build, verify before deploy
# No keys to manage! Identity-based signing via GitHub Actions OIDC

SLSA: Build Provenance

SLSA (Supply-chain Levels for Software Artifacts) provides a framework for build integrity. It answers: WHERE was this artifact built? HOW was it built? CAN the build process be tampered with?

SBOM: Know What You Ship

A Software Bill of Materials lists every component in your container image. When a CVE is announced, you can instantly check which images are affected — instead of scanning everything.

# Generate SBOM with Syft
syft ghcr.io/myorg/myapp:v1.2.3 -o spdx-json > sbom.json

# Scan SBOM for vulnerabilities with Grype
grype sbom:sbom.json

Real world

Where this shows up

Image signing in CI/CD pipelines
SBOM generation for vulnerability tracking
Admission control rejecting unsigned images
Compliance with US Executive Order 14028 (software supply chain security)

Common mistakes

What usually breaks

Not verifying image signatures before deployment
Using base images from untrusted registries
Not generating SBOMs — unable to assess CVE impact
Building images on developer machines instead of isolated CI runners

Key terms

Vocabulary used in this module

Sigstore

Open-source project for signing, verifying, and protecting software

Cosign

Container image signing and verification tool

SLSA

Supply-chain Levels for Software Artifacts — build provenance framework

SBOM

Software Bill of Materials — inventory of components in an artifact

Rekor

Immutable transparency log for signing events

Labs

Hands-on labs

30 minIntermediate

Sign and Verify Container Images

Use Cosign for keyless image signing.

Build a container image
Sign it with cosign sign (keyless)
Verify the signature with cosign verify
Configure admission controller to reject unsigned images

View lab on GitHub

25 minBeginner

Generate and Analyze SBOMs

Create SBOMs and scan for vulnerabilities.

Generate SBOM with Syft for a production image
Scan the SBOM with Grype for known CVEs
Attach the SBOM to the image with cosign attach
Set up automated SBOM scanning in CI

View lab on GitHub

Recap

Key takeaways

Supply chain attacks target the build and distribution pipeline, not the running application
Cosign provides keyless image signing via OIDC — no keys to manage
SLSA framework ensures build provenance and integrity
SBOMs enable instant CVE impact analysis across all your images
Sign in CI, verify at admission — block unsigned images from deploying

Related resources