Posts Tagged ‘slsa’
TL;DR Supply-chain Levels for Software Artifacts (SLSA) attestations are a great way to show that you care about security, and they’re fairly trivial to add to delivery pipelines that produce a single binary or container image. But things get tricky with matrix jobs that build lots of things in parallel, as you then need to […]
Filed under: Dart, Docker, Gemini, howto | Leave a Comment
Tags: AI, ARM, artifact, attestation, CD, container, Cosign, Dart, DevOps, Docker, Gemini, GitHub Actions, image, json, matrix, security, signing, slsa
What? Let’s get the terminology cleared up. This post is about: None of these things stands alone, they’re all interlinked; and they certainly complement each other – a tripod is more stable than a pole. SBOM My earliest memories of the topic of supply chain security come from conversations with Josh Corman a little while […]
Filed under: security | 3 Comments
Tags: OpenSSF, sbom, scorecard, security, slsa, supply chain
Chris Swan's Weblog 