Securing CI/CD & the Software Supply Chain
SLSA, SBOM, Sigstore, and the Pipelines Attackers Target Most
The software supply chain is the most targeted attack surface in modern infrastructure. SolarWinds, Codecov, XZ Utils, 3CX — every major breach of the last five years ran through a pipeline or a dependency. This volume is the practitioner's manual for building pipelines attackers cannot compromise.
You'll implement SLSA (Supply-chain Levels for Software Artifacts) from Level 1 through Level 4, with specific pipeline configurations for GitHub Actions, GitLab CI, Tekton, and Jenkins. The SLSA chapter doesn't stop at theory — it includes the exact attestation schema, the Sigstore Cosign signing workflow for keyless signatures using OIDC tokens from your CI provider, and the Rekor transparency log verification steps.
SBOM generation gets a dedicated section covering both SPDX and CycloneDX formats, automated SBOM generation with Syft and Grype, SBOM-driven vulnerability management workflows, and the emerging VEX (Vulnerability Exploitability eXchange) standard for reducing SBOM noise. You'll build an SBOM pipeline that produces audit-ready artifacts on every release.
The supply chain attack taxonomy chapter is the most complete public analysis of build-time attack patterns: dependency confusion, typosquatting, CI poisoning, build system compromise, and insider threat vectors — each with detection signatures and preventive controls you can implement this sprint.
Four concrete capabilities you will have
Achieve SLSA Level 3 on GitHub Actions or GitLab CI with keyless Sigstore signing using your CI provider's OIDC token
Generate SPDX/CycloneDX SBOMs with Syft, automate Grype vulnerability scanning, and implement VEX workflows to suppress known-false-positive CVEs
Build a dependency review pipeline that blocks PRs introducing packages with CVSS ≥ 7.0 or no provenance attestation
Implement the complete supply chain attack detection taxonomy: 12 attack patterns with YARA-compatible detection signatures
The idea behind Volume II
4 parts · 20 chapters
Part I — The Pipeline Attack Surface
Complete taxonomy of supply chain attacks (SolarWinds to XZ Utils post-mortem), attacker TTPs mapped to MITRE ATT&CK for CI/CD, and the Pipeline Threat Model template. Covers the trust boundary map every pipeline team needs to draw before adding controls.
Part II — SLSA: From Theory to Pipeline Config
SLSA Level 1-4 implementation for GitHub Actions, GitLab CI, Tekton, and Jenkins. Includes the complete provenance attestation schema, build environment hardening (ephemeral build runners, network isolation), and the SLSA verifier integration for downstream consumers.
Part III — Artifact Signing and Transparency
Sigstore ecosystem deep-dive: Cosign for container signing, Fulcio as the certificate authority, Rekor transparency log for auditability. Keyless signing workflow using GitHub Actions OIDC. Policy enforcement with OPA Gatekeeper and Kyverno for admission control.
Part IV — SBOM, VEX, and Dependency Management
SPDX vs CycloneDX format comparison and when to use each. Syft + Grype automated SBOM pipeline. VEX document workflow for suppressing non-exploitable CVEs. Dependency update automation with Renovate and Dependabot — configuration patterns that don't break production.
Be the first to read Volume II
Join the waitlist for early access, release announcements, and sample chapters. No spam — one email when it ships.