Why architecture matters here
Supply chain architecture matters because the attack surface is enormous and consequences are high. A malicious dependency in your build lands your code with a backdoor; a compromised build system replaces your binary with theirs; an unsigned artifact deploys silently. Each has a specific mitigation.
Cost is measurable but small compared to incident cost. SLSA level 3 doesn't require new spending as much as new discipline. Signing infrastructure is free (Sigstore + Fulcio) at moderate scale.
Reliability of the deploy pipeline improves. Signed artifacts + admission control means only known-good code deploys; provenance means when something goes wrong, you know exactly where it came from.
The architecture: every layer explained
Walk the diagram top to bottom.
Source Code. Signed commits (GPG or gitsign) prove authorship. Branch protection ensures approved changes only.
Dependency Pinning. Lockfiles with hashes so builds are reproducible and known. Renovate or Dependabot for controlled updates.
Build System. Hermetic (no network at build time, or vetted allowlist), isolated per build (fresh container), reproducible (same input → same output byte-for-byte).
SLSA Level Attestation. Machine-generated provenance metadata: what source, what build system, what deps, what date, what builder. Signed by the builder.
SBOM Generation. Software Bill of Materials in CycloneDX or SPDX format. Lists every component, version, license. Enables vuln scanning and audit.
Artifact Signing. Sigstore + cosign to sign container images and binaries. Keyless signing via short-lived certs from Fulcio.
Registry. Container registry (or artifact registry) with signature verification enabled. Rejects unsigned uploads.
Admission Control. Kubernetes admission controller (Kyverno, Gatekeeper) rejects deploys of artifacts without valid signatures or matching policy.
Vulnerability Scanning. Grype, Trivy, or Snyk scan images at CI, at registry push, and at runtime. New CVEs flagged.
Incident Response. When a vulnerability appears, use SBOM to find affected components; rebuild with patched dep; rotate signing keys if compromised.
End-to-end build + deploy flow
Trace a build. Developer opens PR. Signed commit; branch protection enforces review.
Merge. CI pulls source, pulls pinned deps by hash (any tampering caught), runs hermetic build in fresh container. Produces image.
CI generates SLSA attestation: source URL + commit hash + builder ID + dep list + build time. Signs with builder key.
Generates SBOM in CycloneDX format from actual layer contents. Signs SBOM.
Runs Trivy on the image. No new criticals. Publishes to registry: image + attestation + SBOM + signature.
Deploy pipeline pulls the image. Kyverno admission controller runs: is the image signed by a trusted builder? Yes. Does the SLSA attestation come from an allowed builder? Yes. Does the SBOM have no critical vulns from allowlist? Pass. Deploy proceeds.
Two months later, a CVE lands on a base library. Ops queries SBOM inventory: which of our deployed images use this library? Answer: 12 services. Rebuild with patched version; redeploy. Attestation trail preserved.