Supply-chain security for container builds, step by step

"Supply-chain security" sounds like a committee. In a pipeline it's four concrete steps: generate an SBOM, scan it, sign the image, and record provenance. Each adds seconds, not minutes.

1. Generate an SBOM at build

A Software Bill of Materials lists every component in your image. Generate it from the built artifact, not the source:

syft my-image:sha-abc123 -o spdx-json > sbom.json

2. Scan the SBOM, not the world

Scanning the SBOM is faster and more accurate than re-scanning the image, and it fails the build on known-bad components:

grype sbom:sbom.json --fail-on high

3. Sign the image

Sign with cosign so consumers can verify the image is yours and unmodified. Keyless signing ties the signature to your CI identity — no long-lived keys to leak:

cosign sign --yes my-registry/my-image@sha256:abc...

4. Record provenance

Attach a provenance attestation describing how the image was built — which commit, which runner, which steps. Then enforce it at deploy time:

Admission control that rejects unsigned images (and images without provenance) is what turns all of the above from "nice artifacts" into an actual control.

Make it the default

The trick is putting these in a shared pipeline template so every team gets them for free. Security that each team has to opt into is security that doesn't happen. Bake SBOM → scan → sign → attest into the paved road, and the trustworthy build becomes the easy build.