A proof-of-concept SLSA provenance generator for Buildkite.

Stream, Mutate and Sign Images with AWS Lambda and ECR

Mattermost builder

A demonstration of how GoReleaser can help us to make software supply chain more secure by using bunch of tools such as cosign, syft, grype, slsa-provenance

Azure DevOps Server development system segmentation best practices

boostsecurityio/supply-chain-research

Project that demonstrates the implementation of SLSA L3 with Github Workflows and Sigstore. Bonus: binary authorization with Kyverno.

Deterministic container hashes and container signing using Cosign, Kaniko and Google Cloud Build

Ensignia Provenance Upload Action

A Lifesaver learning app for bronze proficiency level

A demonstration of showing how to use 💃SLSA 3 Generic Generator with GoReleaser to release artifacts while generating signed SLSA provenance

Container image provenance spec that allows tracing CVEs detected in registry images back to a CVE's source of origin.

SLSA generate and verify provenance demo

Sign and attest images

Hamburger, Sandwitch, Coke, ---

A compilation of Software Supply Chain Security resources including initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of learning resources from the web.

Материалы к вебинару «Как выстроить процесс безопасной разработки в Yandex Cloud».

Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance

SLSA level 3 action

Google Container Analysis data import utility, supports OSS vulnerability scanner reports, SLSA provenance and sigstore attestations.