Introduction: Why Software Supply Chain Security Matters In December 2020, the world discovered that SolarWinds — a widely trusted IT management platform — had been compromised. Attackers injected malicious code into the Orion software build process, distributing a tainted update to roughly 18,000 organizations, including U.S. government agencies and Fortune 500 companies. The attack was … Read more
Overview If you build the same Dockerfile twice and get different images, you cannot verify build integrity. A non-reproducible build means you have no way to confirm that the artifact running in production was actually produced from the source code you audited. Attackers can exploit this ambiguity to inject malicious code during the build process … Read more
Overview Tekton is a powerful, Kubernetes-native open-source framework for creating continuous integration and continuous delivery (CI/CD) systems. It runs as a set of Custom Resource Definitions (CRDs) on any Kubernetes cluster, letting you define pipelines as declarative YAML that are portable across environments. Tekton Chains is a companion project that adds automatic supply chain security … Read more
Why SBOMs Matter: The Regulatory and Security Imperative A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of every component, library, and dependency that makes up a piece of software. Think of it as the nutritional label for your application — except instead of calories and sodium, you’re listing packages, versions, licenses, and … Read more
Why Container Image Signing Matters Every time you pull a container image and deploy it into production, you’re placing implicit trust in that artifact. But how do you verify that the image hasn’t been tampered with? How do you confirm it was actually built by your CI/CD pipeline and not injected by an attacker who … Read more
Introduction Code signing has long been a cornerstone of software security. When you verify a signature, you know who signed an artifact. But knowing who signed something does not tell you how it was built, where it was built, or what source code went into it. A maintainer could sign a binary that was compiled … Read more
Overview SLSA (Supply-chain Levels for Software Artifacts) provenance is a verifiable record that describes how an artifact was built: the source repository, the build platform, the entry point, and the input materials. When attached to a container image, provenance lets consumers answer a critical question before deploying: “Was this image actually built from the source … Read more
Overview Every container image your CI/CD pipeline produces should be cryptographically signed before it reaches any environment. Unsigned images are a blind spot — you have no proof they came from your pipeline, no guarantee they weren’t tampered with in transit, and no policy hook to block rogue deployments. In this hands-on lab you will: … Read more
Introduction: What Is SLSA and Why Should You Care? Supply-chain Levels for Software Artifacts — SLSA (pronounced “salsa”) — is a security framework created by Google and now maintained by the Open Source Security Foundation (OpenSSF). Its goal is deceptively simple: make it harder for attackers to tamper with the software you build and ship. … Read more
What to change concretely in real CI/CD environments 🔐 Access & Identity Hardening If failing SSO/MFA controls: 🧱 Runner Isolation If using shared runners in regulated pipelines: 🚫 Policy Gates Not Blocking If SAST/SCA/DAST results are advisory only: 📦 Artifact Integrity If artifact signing missing: Evidence Centralization If logs only exist in vendor UI: 🔁 … Read more
