What is software supply chain security and what are SLSA levels, SBOMs, and image signing?
Answer
Software supply chain security protects the integrity of artifacts (code, dependencies, container images) from source to production. A supply chain attack (like SolarWinds or the XZ Utils backdoor) compromises build tools, dependencies, or CI systems to inject malicious code into trusted software. Key concepts: SLSA (Supply-chain Levels for Software Artifacts) is a framework of four security levels. Level 1 requires a documented build process. Level 2 requires a tamper-evident build with provenance (who built what, when, how). Level 3 requires the build to run on a hardened, two-party reviewed build platform. Level 4 requires hermetic, reproducible builds. SBOM (Software Bill of Materials) is a complete inventory of all software components and their versions in an artifact, generated during CI (Syft, CycloneDX) and published alongside releases for vulnerability tracking. Sigstore/Cosign provides keyless container image signing — the CI pipeline signs the Docker image with a short-lived key tied to the build's OIDC identity, and deployment systems verify the signature before running the image, ensuring only CI-built images reach production.
Previous
What is compliance as code and how do tools like OPA enforce it in pipelines?
Next
How do you optimize CI/CD pipeline performance at scale with distributed caching and remote build execution?
More CI/CD Pipelines Questions
View all →- Advanced What are the core principles of GitOps?
- Advanced What is progressive delivery and how does it extend beyond basic canary releases?
- Advanced How is chaos engineering integrated into CD pipelines?
- Advanced How does Terraform work in fully automated pipelines with plan PR comments and apply on merge?
- Advanced What is compliance as code and how do tools like OPA enforce it in pipelines?