Why architecture matters here

Supply chain incidents cost days. A compromised dependency owns your production; a fake artifact deploys; a build system tampers with output. The architecture matters because each step is a control point that can fail closed.

SLSA levels progressively harden the chain: source integrity, build provenance, isolated builds, reproducibility. SBOMs enable quick answer to "are we affected?" after any CVE. Signing enables verify at deploy.

With the layers in place, you replace luck with policy.

Advertisement

The architecture: every piece explained

The top strip is the build path. Source repo uses signed commits + branch protection. Build system runs in isolated, reproducible environments (SLSA Level 3+). SBOM records components + versions. Provenance is a SLSA attestation of what built what.

The middle row is distribution. Signing uses Sigstore/cosign for artifact signatures. Artifact registry stores immutable, versioned artifacts. Verify at deploy uses admission controllers to enforce policy. Runtime attest uses TPM or TEE for hardware-rooted integrity.

The lower rows are lifecycle. Vulnerability scanner diffs SBOMs against CVE feeds. Incident response playbook: identify affected images, patch, redeploy. Ops covers policy as code, audits, and drills.

Supply chain security — SBOM + provenance + SLSA + attestation + verifytrust the software you didn't writeSource reposigned commitsBuild systemreproducible + isolatedSBOMcomponents + versionsProvenanceSLSA attestationSigningSigstore / cosignArtifact registryimmutable + versionedVerify at deploypolicy + admissionRuntime attestTPM / TEEVulnerability scannerSBOM diff + CVEIncident responsecompromised dep playbookOps — policy in code + audits + drillssignstoreenforceattestscanrespondrespondoperateoperate
Supply chain security from source to runtime.
Advertisement

End-to-end flow

End-to-end: developer commits code with GPG signature; build kicks off in isolated runner. Build produces SBOM + provenance + signed image. Artifact registry stores. At deploy, admission controller verifies signature + provenance meets SLSA Level 3. Kubernetes admits. Runtime uses TPM to verify boot integrity. A CVE drops for openssl; scanner diffs SBOMs across the fleet; identifies affected images; patches auto-generate PR; deploy pipeline rolls out. Total time from CVE to fully patched: 6 hours.