Why architecture matters here
Supply chain incidents cost days. A compromised dependency owns your production; a fake artifact deploys; a build system tampers with output. The architecture matters because each step is a control point that can fail closed.
SLSA levels progressively harden the chain: source integrity, build provenance, isolated builds, reproducibility. SBOMs enable quick answer to "are we affected?" after any CVE. Signing enables verify at deploy.
With the layers in place, you replace luck with policy.
The architecture: every piece explained
The top strip is the build path. Source repo uses signed commits + branch protection. Build system runs in isolated, reproducible environments (SLSA Level 3+). SBOM records components + versions. Provenance is a SLSA attestation of what built what.
The middle row is distribution. Signing uses Sigstore/cosign for artifact signatures. Artifact registry stores immutable, versioned artifacts. Verify at deploy uses admission controllers to enforce policy. Runtime attest uses TPM or TEE for hardware-rooted integrity.
The lower rows are lifecycle. Vulnerability scanner diffs SBOMs against CVE feeds. Incident response playbook: identify affected images, patch, redeploy. Ops covers policy as code, audits, and drills.
End-to-end flow
End-to-end: developer commits code with GPG signature; build kicks off in isolated runner. Build produces SBOM + provenance + signed image. Artifact registry stores. At deploy, admission controller verifies signature + provenance meets SLSA Level 3. Kubernetes admits. Runtime uses TPM to verify boot integrity. A CVE drops for openssl; scanner diffs SBOMs across the fleet; identifies affected images; patches auto-generate PR; deploy pipeline rolls out. Total time from CVE to fully patched: 6 hours.