Secure everything that goes into your build output that you didn't write. Real-world attacks (xz, SolarWinds, dependency confusion), scanning dependencies for CVEs, producing an SBOM, signing artifacts with Sigstore, generating and verifying SLSA build provenance, and locking the chain down so only trusted, verified components ever run.
Before you start
Pairs directly with the DevSecOps Pipeline course, which wires these scanners and gates into CI. Familiarity with containers and a package manager helps.
The Software Supply Chain
You ship far more code than you write. Learn what the software supply chain is, the attack classes that target it — dependency confusion, typosquatting, build-system compromise — and the frame for defending it.
Scan Your Dependencies (SCA)
Software Composition Analysis inventories every direct and transitive dependency and matches it against known-vulnerability databases. Run it locally and in CI, and fix by upgrading — automatically where you can.
Know What You Ship: SBOM
A Software Bill of Materials is a complete, machine-readable inventory of everything in your artifact. Generate one with Syft, in a standard format, and use it to answer "are we affected?" in minutes, not days.
Sign & Verify with Sigstore
A scan proves what is in an artifact; a signature proves who built it and that it has not been tampered with. Sign container images keylessly with Sigstore cosign and verify them before anything runs.
Build Provenance & SLSA
Provenance is a signed, verifiable record of how an artifact was built — from which source, by which builder. SLSA grades that integrity. Generate provenance in CI and verify it before deploy.
Lock Down the Supply Chain
Bring it together: pin dependencies by hash, defeat dependency confusion and typosquatting, use a private proxy registry, and enforce "only signed, verified artifacts run" at cluster admission.