Supply-Chain Security for Your Pipeline (SLSA, Provenance, SBOM)
You sign the code you write, but can you prove how the artifact was built?
High-profile attacks have shifted focus from the code itself to how it is built and distributed: the software supply chain. This lesson introduces the key concepts: the SLSA framework, build provenance, and the Software Bill of Materials (SBOM), so you understand what they are and why a serious pipeline produces them.
What the software supply chain is
Your supply chain is everything that goes into your released artifact: source code, dependencies, base images, build tools, and the build environment itself. An attacker who compromises any link, for example a popular dependency or your build system, can ship malicious code that passed all your tests. Supply-chain security is about making that chain verifiable.
SLSA: levels of build integrity
SLSA (Supply-chain Levels for Software Artifacts) is a framework of increasing security levels for how artifacts are built. Higher levels require things like a tamper-resistant build service, isolated builds, and verifiable provenance. You can treat it as a maturity ladder: each level raises the bar on "can you trust how this was built?"
Provenance and SBOMs
- Build provenance: signed metadata recording how, when, and from what source an artifact was built, so consumers can verify it was not tampered with.
- SBOM (Software Bill of Materials): a machine-readable inventory of every component and dependency in an artifact.
- Together they answer "what is in this, and where did it come from?", which is essential during a dependency-vulnerability scramble.
Where it fits in CI/CD
Your pipeline is the natural place to produce these artifacts: generate an SBOM during the build, emit signed provenance when you publish an image, and verify both before deploy. You do not need to leap to the top SLSA level overnight; generating an SBOM and pinning your dependencies and actions are meaningful first steps.
Key takeaways
- Supply-chain security covers everything that goes into your artifact, not just your own code.
- SLSA is a maturity ladder for build integrity; provenance and SBOMs make artifacts verifiable.
- Start small: generate an SBOM and pin dependencies and actions before chasing higher SLSA levels.