Overview
Modern software relies heavily on external libraries and tools. Supply Chain Security focuses on ensuring that these components—and the build process itself—are not compromised.
Key Concepts
- SBOM (Software Bill of Materials): A comprehensive list of all components and dependencies in your software.
- Dependency Pinning: Locking versions to prevent unexpected malicious updates.
- Image Signing: Using tools like Cosign to verify the integrity of container images.
Example: Verifying Image Signature with Cosign
# Sign the container image
cosign sign --key cosign.key my-repo/my-image:v1.0.0
# Verify the signature
cosign verify --key cosign.pub my-repo/my-image:v1.0.0Expected Result:
Verification for my-repo/my-image:v1.0.0 --
The following checks were performed:
- Cosign signature verified