Cosign on Adurhttps://adurrr.github.io/en/tags/cosign/Recent content in Cosign on AdurHugo -- gohugo.ioenMon, 10 Feb 2025 00:00:00 +0000Supply chain security: SBOM and Sigstorehttps://adurrr.github.io/en/p/supply-chain-security-sbom-and-sigstore/Mon, 10 Feb 2025 00:00:00 +0000https://adurrr.github.io/en/p/supply-chain-security-sbom-and-sigstore/<p>Supply chain attacks are no longer theoretical. The 2020 SolarWinds breach showed how one compromised build pipeline could hit thousands of organizations, including government agencies. Then Log4Shell in 2021 proved that a vulnerability deep in a transitive dependency could threaten every Java app overnight. The message was clear: we need visibility into what&rsquo;s in our software and stronger integrity guarantees.</p> <p>This guide covers the practical tools: SBOMs, Sigstore, and SLSA framework.</p> <h2 id="why-supply-chain-security-matters">Why Supply Chain Security Matters </h2><p>Traditional security focuses on your own code: static analysis, dependency scanning, penetration testing. Supply chain security extends that perimeter to everything your software depends on and every step in the process of building and delivering it.</p> <p>The attack surface includes:</p> <ul> <li><strong>Source code repositories</strong>: compromised developer accounts, malicious commits</li> <li><strong>Dependencies</strong>: typosquatting, dependency confusion, compromised upstream packages</li> <li><strong>Build systems</strong>: tampered CI/CD pipelines, injected build steps</li> <li><strong>Artifact registries</strong>: replaced binaries, unsigned packages</li> <li><strong>Deployment pipelines</strong>: modified manifests, man-in-the-middle attacks</li> </ul> <p>A single weak link in any of these stages can compromise the entire chain.</p> <h2 id="software-bill-of-materials-sbom">Software Bill of Materials (SBOM) </h2><p>An SBOM is a formal, machine-readable inventory of all components in a piece of software. Think of it as an ingredients list for your application. It includes direct dependencies, transitive dependencies, their versions, licenses, and relationships.</p> <h3 id="why-you-need-one">Why You Need One </h3><ul> <li><strong>Vulnerability response</strong>: When a new CVE drops (like Log4Shell), you can instantly check if any of your applications are affected.</li> <li><strong>License compliance</strong>: Know exactly what licenses you are shipping.</li> <li><strong>Regulatory requirements</strong>: The US Executive Order 14028 and the EU Cyber Resilience Act both push toward mandatory SBOMs.</li> <li><strong>Transparency</strong>: Customers and partners can verify what they are running.</li> </ul> <h3 id="sbom-formats">SBOM Formats </h3><p>Two main formats dominate:</p> <ul> <li><strong>SPDX</strong> (Software Package Data Exchange): An ISO standard (ISO/IEC 5962:2021), originally focused on license compliance, now comprehensive. Supports JSON, RDF, YAML, and tag-value formats.</li> <li><strong>CycloneDX</strong>: An OWASP project, designed from the ground up for security use cases. Supports JSON and XML. Lighter weight and more opinionated.</li> </ul> <p>Both are solid choices. CycloneDX tends to be easier to work with for security-focused workflows. SPDX has broader adoption in compliance-heavy industries.</p> <h3 id="generating-sboms-with-syft">Generating SBOMs with Syft </h3><p><a class="link" href="https://github.com/anchore/syft" target="_blank" rel="noopener" >Syft</a> from Anchore is one of the best tools for generating SBOMs. It supports container images, filesystems, and archives.</p> <p><strong>Install syft:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh <span class="p">|</span> sh -s -- -b /usr/local/bin </span></span></code></pre></td></tr></table> </div> </div><p><strong>Generate an SBOM from a container image:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># CycloneDX format (JSON)</span> </span></span><span class="line"><span class="cl">syft packages registry.example.com/myapp:v1.2.3 -o cyclonedx-json &gt; sbom.cdx.json </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SPDX format (JSON)</span> </span></span><span class="line"><span class="cl">syft packages registry.example.com/myapp:v1.2.3 -o spdx-json &gt; sbom.spdx.json </span></span></code></pre></td></tr></table> </div> </div><p><strong>Generate an SBOM from a local directory:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">syft packages dir:/path/to/project -o cyclonedx-json &gt; sbom.cdx.json </span></span></code></pre></td></tr></table> </div> </div><p>You can then scan the SBOM for vulnerabilities using <a class="link" href="https://github.com/anchore/grype" target="_blank" rel="noopener" >Grype</a>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grype sbom:sbom.cdx.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-sigstore-ecosystem">The Sigstore Ecosystem </h2><p><a class="link" href="https://www.sigstore.dev/" target="_blank" rel="noopener" >Sigstore</a> is an open-source project that makes cryptographic signing and verification accessible. It eliminates the need to manage long-lived signing keys, which has historically been the main barrier to adoption of artifact signing.</p> <p>The ecosystem has three core components:</p> <ul> <li><strong>cosign</strong>: Signs and verifies container images and other OCI artifacts.</li> <li><strong>Fulcio</strong>: A certificate authority that issues short-lived certificates based on OIDC identity (your existing identity provider).</li> <li><strong>Rekor</strong>: A transparency log that creates an immutable, tamper-resistant record of signing events.</li> </ul> <h3 id="how-it-works">How It Works </h3><ol> <li>You authenticate with an OIDC provider (GitHub, Google, Microsoft, etc.).</li> <li>Fulcio issues a short-lived certificate tied to your identity.</li> <li>cosign uses that certificate to sign your artifact.</li> <li>The signing event is recorded in Rekor&rsquo;s transparency log.</li> <li>Anyone can verify the signature using the transparency log, without needing your public key.</li> </ol> <p>This is called &ldquo;keyless&rdquo; signing. No keys to rotate, no secrets to manage, no PKI infrastructure to maintain.</p> <h3 id="signing-container-images-with-cosign">Signing Container Images with Cosign </h3><p><strong>Install cosign:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Using Go</span> </span></span><span class="line"><span class="cl">go install github.com/sigstore/cosign/v2/cmd/cosign@latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Or download a release</span> </span></span><span class="line"><span class="cl">curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o /usr/local/bin/cosign </span></span><span class="line"><span class="cl">chmod +x /usr/local/bin/cosign </span></span></code></pre></td></tr></table> </div> </div><p><strong>Sign an image (keyless mode):</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cosign sign registry.example.com/myapp:v1.2.3 </span></span></code></pre></td></tr></table> </div> </div><p>This will open a browser for OIDC authentication. In CI, you can use workload identity (e.g., GitHub Actions OIDC token) for non-interactive signing.</p> <p><strong>Verify an image:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cosign verify registry.example.com/myapp:v1.2.3 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --certificate-identity<span class="o">=</span>user@example.com <span class="se">\ </span></span></span><span class="line"><span class="cl"> --certificate-oidc-issuer<span class="o">=</span>https://accounts.google.com </span></span></code></pre></td></tr></table> </div> </div><p><strong>Attach an SBOM to an image and sign it:</strong></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Attach the SBOM</span> </span></span><span class="line"><span class="cl">cosign attach sbom --sbom sbom.cdx.json registry.example.com/myapp:v1.2.3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Sign the SBOM attachment</span> </span></span><span class="line"><span class="cl">cosign sign --attachment sbom registry.example.com/myapp:v1.2.3 </span></span></code></pre></td></tr></table> </div> </div><h2 id="the-slsa-framework">The SLSA Framework </h2><p><a class="link" href="https://slsa.dev/" target="_blank" rel="noopener" >SLSA</a> (Supply-chain Levels for Software Artifacts, pronounced &ldquo;salsa&rdquo;) is a framework that defines increasing levels of supply chain integrity guarantees.</p> <h3 id="slsa-levels">SLSA Levels </h3><ul> <li><strong>Level 0</strong>: No guarantees. This is where most projects start.</li> <li><strong>Level 1</strong>: The build process is documented and produces provenance (metadata about how an artifact was built).</li> <li><strong>Level 2</strong>: The build is hosted on a hosted build service that generates authenticated provenance.</li> <li><strong>Level 3</strong>: The build platform provides hardened builds with tamper-resistant provenance. The build environment is isolated and ephemeral.</li> </ul> <p>Each level builds on the previous one. The goal is not to jump to Level 3 immediately but to incrementally improve your posture.</p> <h3 id="slsa-provenance">SLSA Provenance </h3><p>Provenance answers the critical questions: Who built this? What source was used? What build process was followed? Was the build environment tamper-proof?</p> <p>SLSA provenance is a signed attestation in the <a class="link" href="https://in-toto.io/" target="_blank" rel="noopener" >in-toto</a> format that captures this information.</p> <h2 id="cicd-integration-github-actions-example">CI/CD Integration: GitHub Actions Example </h2><p>Here is a practical GitHub Actions workflow that builds an image, generates an SBOM, signs everything, and generates SLSA provenance:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build, Sign, and Attest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;v*&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">permissions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="l">read</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">packages</span><span class="p">:</span><span class="w"> </span><span class="l">write</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">id-token</span><span class="p">:</span><span class="w"> </span><span class="l">write </span><span class="w"> </span><span class="c"># Required for keyless signing</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">REGISTRY</span><span class="p">:</span><span class="w"> </span><span class="l">ghcr.io</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">IMAGE_NAME</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.repository }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">build-sign-attest</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Checkout</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Log in to GHCR</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">docker/login-action@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">registry</span><span class="p">:</span><span class="w"> </span><span class="l">${{ env.REGISTRY }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.actor }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Build and push image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">id</span><span class="p">:</span><span class="w"> </span><span class="l">build</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">docker/build-push-action@v5</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">push</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span><span class="l">${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install cosign</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">sigstore/cosign-installer@v3</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Install syft</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">anchore/sbom-action/download-syft@v0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Sign the image</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign sign --yes \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Generate SBOM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> syft packages \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }} \ </span></span></span><span class="line"><span class="cl"><span class="sd"> -o cyclonedx-json &gt; sbom.cdx.json</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Attach and sign SBOM</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign attach sbom --sbom sbom.cdx.json \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }} </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign sign --yes --attachment sbom \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Verify signature</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">run</span><span class="p">:</span><span class="w"> </span><span class="p">|</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> cosign verify \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --certificate-identity-regexp=&#34;https://github.com/${{ github.repository }}/*&#34; \ </span></span></span><span class="line"><span class="cl"><span class="sd"> --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ </span></span></span><span class="line"><span class="cl"><span class="sd"> ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}@${{ steps.build.outputs.digest }}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The <code>id-token: write</code> permission is what enables keyless signing in GitHub Actions. The GitHub OIDC token is automatically used by cosign without any manual key management.</p> <h2 id="practical-adoption-roadmap">Practical Adoption Roadmap </h2><p>You do not need to do everything at once. Here is a sensible progression:</p> <p><strong>Week 1-2: Visibility</strong></p> <ul> <li>Start generating SBOMs for your most critical applications using syft.</li> <li>Integrate Grype into your CI pipeline for vulnerability scanning against the SBOM.</li> </ul> <p><strong>Week 3-4: Signing</strong></p> <ul> <li>Set up cosign keyless signing in your CI/CD pipelines.</li> <li>Sign your container images on every build.</li> </ul> <p><strong>Month 2: Verification</strong></p> <ul> <li>Enforce signature verification in your deployment pipelines (e.g., Kubernetes admission controllers like Kyverno or Sigstore policy-controller).</li> <li>Attach SBOMs to images and sign them.</li> </ul> <p><strong>Month 3+: SLSA Provenance</strong></p> <ul> <li>Add SLSA provenance generation using <a class="link" href="https://github.com/slsa-framework/slsa-github-generator" target="_blank" rel="noopener" >slsa-github-generator</a>.</li> <li>Work toward SLSA Level 2, then Level 3.</li> <li>Automate provenance verification in your deployment tooling.</li> </ul> <h2 id="key-takeaways">Key Takeaways </h2><ul> <li><strong>SBOMs give visibility</strong> - You can&rsquo;t secure what you can&rsquo;t see. Generate SBOMs for every artifact.</li> <li><strong>Sigstore removes the excuse</strong> - Keyless signing kills key management overhead. No good reason not to sign.</li> <li><strong>SLSA is a maturity model</strong> - Use it to improve supply chain integrity incrementally, not as all-or-nothing.</li> <li><strong>Automate everything</strong> - These tools are built for CI/CD integration. Manual doesn&rsquo;t scale.</li> </ul> <p>The supply chain security ecosystem is maturing fast. Tools are production-ready, standards are solidifying, and regulatory pressure keeps rising. The best time to start was yesterday. The second-best is now.</p>