Supply Chain Security with SBOM and Sigstore

Imagine buying a ready-made meal at the supermarket without an ingredient list. For years, this was the standard in software development: we download container images from the internet and trust that what’s inside matches the label. However, incidents like Log4j have shown that a single compromised library in the supply chain can cripple global infrastructures.

In 2026, Supply Chain Security is no longer a “nice-to-have.” With regulations like the EU Cyber Resilience Act (CRA), transparency over the software supply chain becomes a mandatory task for medium-sized businesses.

The Ingredient List for Software: The SBOM

A Software Bill of Materials (SBOM) is a machine-readable list of all components, libraries, and dependencies of a software.

• The Benefit: When a new vulnerability (CVE) is discovered, you no longer have to guess if you’re affected. A quick scan of your SBOMs will reveal in seconds which of your container images contain the vulnerable library.
• The Automation: Tools like Syft or Trivy automatically generate these lists during the build process in the CI/CD pipeline (e.g., GitLab CI or GitHub Actions).

Trust Through Digital Signatures: Sigstore and Cosign

An SBOM alone is not enough if an attacker can swap the image unnoticed on its way to the cluster. We must ensure that only the code we have verified ourselves is executed. This is where Sigstore comes into play.

With the tool Cosign, we digitally sign container images.

1. Signing: After the build and successful security scan, the CI pipeline signs the image.
2. Verification: An Admission Controller in the Kubernetes cluster (like Kyverno or Policy Reporter) checks the signature before each deployment.
3. The Rule: “No signature, no deployment.” An unsigned image is categorically rejected by the cluster—even if an attacker had access to your registry.

Transparency Throughout the Entire Lifecycle

True supply chain security does not end at deployment. It is a continuous cycle:

• Vulnerability Scanning: Images in the registry must be continuously scanned for new vulnerabilities.
• Attestations: In addition to the signature, we can store “attestations”—evidence that, for example, unit tests were passed or a code review took place.
• Provenance: With frameworks like SLSA (Supply-chain Levels for Software Artifacts), we document the origin of every bit.

Conclusion: Security Begins Before the Cluster

Securing Kubernetes today means securing the entire pipeline. Those who invest in SBOMs and signature workflows today not only protect themselves from attacks but also meet the compliance requirements of tomorrow. Security thus becomes a quality feature of your software.

Technical FAQ: Supply Chain Security

What is the best format for an SBOM? There are two industry standards: CycloneDX and SPDX. CycloneDX is often easier to handle for modern Cloud-Native tools, while SPDX covers more in-depth legal licensing information. Most tools today support both formats.

Do we need our own Public Key Infrastructure (PKI) for Sigstore? Not necessarily. Sigstore offers “Keyless Signing,” a method where identities are verified via OIDC (e.g., GitHub or Google login). For medium-sized businesses, this is often the least maintenance-intensive solution.

Does scanning and signing slow down the CI/CD pipeline? An SBOM scan usually takes only a few seconds. The signing is almost instantaneous. The time investment is minimal compared to the security gain and the time saved in the event of an audit or incident.

Is your software supply chain fully documented? Transparency is the best protection against modern cyber-attacks. At ayedo, we support you in integrating automated security checks and signature workflows into your pipelines. Make your software supply chain secure for the future.