DevOps by Default Blog

accessibility acl ai architecture argocd authentication automation aws backstage bash batch centos7 ci-cd cli cloud cmd containers cost-optimization css dark-mode database deployment design developer-experience devops
disk docker documentation downgrade e2e ebpf filesystem finops frontend gem github-actions gitops go golang gotrs green-computing grpc helm iac iam infrastructure-as-code java jenkins kpartx kubernetes
linux logging mariadb mfa monitoring mount multi-tenancy mysql network networking ntfs observability open-source opentofu operations otrs performance platform-engineering playwright plugins postgresql prometheus quality repo ruby
scripting secrets security sigstore slsa sql supply-chain sustainability tailwind terraform terraform101 testing themes ticketing tutorial ux vault vulnerabilities wasm windows workflow year-review yum
accessibility acl ai architecture argocd authentication automation aws backstage bash batch centos7 ci-cd cli cloud cmd containers cost-optimization css dark-mode database deployment design developer-experience devops
disk docker documentation downgrade e2e ebpf filesystem finops frontend gem github-actions gitops go golang gotrs green-computing grpc helm iac iam infrastructure-as-code java jenkins kpartx kubernetes
linux logging mariadb mfa monitoring mount multi-tenancy mysql network networking ntfs observability open-source opentofu operations otrs performance platform-engineering playwright plugins postgresql prometheus quality repo ruby
scripting secrets security sigstore slsa sql supply-chain sustainability tailwind terraform terraform101 testing themes ticketing tutorial ux vault vulnerabilities wasm windows workflow year-review yum
accessibility acl ai architecture argocd authentication automation aws backstage bash batch centos7 ci-cd cli cloud cmd containers cost-optimization css dark-mode database deployment design developer-experience devops
disk docker documentation downgrade e2e ebpf filesystem finops frontend gem github-actions gitops go golang gotrs green-computing grpc helm iac iam infrastructure-as-code java jenkins kpartx kubernetes

Supply Chain Security with SLSA and Sigstore

349 words · 2 min read

SolarWinds, Log4Shell, and countless smaller incidents proved that software supply chains are attack vectors. Compliance frameworks now require provenance verification. We implemented SLSA and Sigstore to meet requirements and build genuine trust.

The Problem

“Where did this binary come from?” should have a clear answer. For most organisations, it doesn’t. Build processes are complex, dependencies are numerous, and provenance is assumed rather than verified.

Compliance requirements escalated. Government contracts increasingly require SBOM attestations and build provenance. “Trust us” no longer satisfies auditors.

Developer workstations as build environments created risk. A compromised laptop could inject malicious code into production binaries. Build reproducibility was aspirational rather than actual.

Our Solution

SLSA framework adoption provided structure. SLSA (Supply-chain Levels for Software Artifacts) defines progressive security levels. We targeted SLSA Level 3: builds on hosted infrastructure with authenticated provenance.

Sigstore for signing eliminated key management complexity. Keyless signing using OIDC identity. Rekor provides a transparency log of all signatures. Cosign handles container image signing.

GitHub Actions as trusted builder. Builds run on GitHub-hosted runners, not developer machines. Workflow files are version-controlled. Provenance attestations link binaries to specific commits and workflows.

SBOM generation in every build. Syft produces software bills of materials. These ship alongside artifacts, enabling consumers to verify contents.

Verification in deployment. Kubernetes admission controllers verify signatures before allowing images. Unsigned or tampered images are rejected automatically.

# Sign container image
cosign sign --yes $IMAGE

# Verify before deployment
cosign verify $IMAGE

The Benefits

Compliance satisfied for government and enterprise contracts. Auditors receive verifiable provenance rather than documentation promises.

Attack surface reduced. Even if a developer workstation is compromised, production binaries aren’t affected. Builds happen in isolated, ephemeral environments.

Incident response improved. When vulnerabilities are discovered, we can identify exactly which builds are affected based on provenance records.

Consumer trust for anyone using our software. They can verify that binaries came from our CI system, built from specific source commits, with known dependencies.

Supply chain security isn’t about preventing all attacks—it’s about making attacks harder, detecting them faster, and proving integrity when required. SLSA and Sigstore make this achievable rather than theoretical.

Copyright © 2026 Gibbsoft Ltd. Company No. 06514595 registered in England. VAT No. 178377753.