Skip to main content

Module 11: Cloud Native Supply Chain Security Slides

Slide walkthrough for Module 11 of Cloud Native Security Engineering: Securing Kubernetes, Workloads, APIs & Zero Trust Systems: Sigstore, SLSA, SBOM,...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Cloud Native Supply Chain Security - Sigstore, SLSA, SBOM, image signing, and provenance verification
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Supply chain attacks (SolarWinds, Log4j, codecov) are among the most devastating security incidents. They bypass all run
  4. Sigstore: Sign Everything - Lesson section from the full module
  5. SLSA: Build Provenance - Lesson section from the full module
  6. SBOM: Know What You Ship - Lesson section from the full module
  7. Real-World Use Cases - Image signing in CI/CD pipelines, SBOM generation for vulnerability tracking
  8. Common Mistakes to Avoid - 4 mistakes covered
  9. Hands-On Labs - 2 hands-on labs
  10. Key Takeaways - 5 points to remember

Learning Objectives

  • Understand supply chain attack vectors
  • Sign container images with Cosign
  • Verify image provenance with SLSA
  • Generate and analyze SBOMs for vulnerability tracking

Why This Module Matters

Supply chain attacks (SolarWinds, Log4j, codecov) are among the most devastating security incidents. They bypass all runtime security because the malicious code IS the application. Supply chain security ensures you only deploy what you built, from the source you trust.

Common Mistakes

  • Not verifying image signatures before deployment
  • Using base images from untrusted registries
  • Not generating SBOMs — unable to assess CVE impact
  • Building images on developer machines instead of isolated CI runners

Key Takeaways

  • Supply chain attacks target the build and distribution pipeline, not the running application
  • Cosign provides keyless image signing via OIDC — no keys to manage
  • SLSA framework ensures build provenance and integrity
  • SBOMs enable instant CVE impact analysis across all your images
  • Sign in CI, verify at admission — block unsigned images from deploying

Hands-On Labs

  1. Sign and Verify Container Images

    Use Cosign for keyless image signing.

    30 min - Intermediate

    • Build a container image
    • Sign it with cosign sign (keyless)
    • Verify the signature with cosign verify
    • Configure admission controller to reject unsigned images

    View lab files on GitHub

  2. Generate and Analyze SBOMs

    Create SBOMs and scan for vulnerabilities.

    25 min - Beginner

    • Generate SBOM with Syft for a production image
    • Scan the SBOM with Grype for known CVEs
    • Attach the SBOM to the image with cosign attach
    • Set up automated SBOM scanning in CI

    View lab files on GitHub

Read the full module | Back to course curriculum