← Back to Insights

Secure Software Supply Chain: SBOM and Provenance

Metasphere Engineering 12 min read
Supply Chain Security DevSecOps CI/CD

The SolarWinds breach didn’t happen because attackers broke through a firewall or exploited a production server. They compromised the build system. Malicious code was compiled, packaged, and signed by SolarWinds’ own infrastructure, then distributed to 18,000 customers as a legitimate software update. Every vulnerability scanner gave it a clean bill of health because the malware was baked in at compile time by a trusted build process.

Contamination injected in the kitchen. By someone with access. The food inspector checked the finished product. Found nothing wrong. The contamination happened before inspection.

The scanners did exactly what they were designed to do. They just weren’t designed for this.

Key takeaways
  • SolarWinds wasn’t a runtime exploit. It was a build system compromise. The malware was compiled and signed by trusted infrastructure. Every scanner said clean. The kitchen contaminated the food. The inspector passed it.
  • Artifact provenance (SLSA) proves who built what, from which source, on which runner. Without it, you’re operating on trust. Trust is what supply chain attackers exploit.
  • SBOM makes dependency risk visible. The ingredients list. You can’t patch what you can’t inventory. Automate SBOM generation in every build.
  • Dependency pinning with hash verification prevents silent substitution. A compromised package registry can serve modified versions. Tampered ingredients with the same label. Pin to exact versions with integrity hashes.
  • Admission controllers reject unsigned or unattested images at deploy time. The final inspection gate. Nothing unsigned runs in production.

Supply chain attackers don’t break your security. They become it.

Supply Chain Attack Surface: Five Injection PointsSupply Chain Attack Surface: Five Injection Points1. Source CodeCompromised developeraccount, malicious commitFix: signed commits, review2. DependenciesTyposquatting, confusionCompromised maintainerFix: SBOM, pinning, audit3. Build SystemCI pipeline poisoningInject into build envFix: hermetic builds, SLSA4. RegistryTampered artifact uploadedTag overwriteFix: signing, immutable tags5. DeployUnsigned image deployedAdmission bypassedFix: admission policyFive places an attacker can inject. Secure all five or the chain is only as strong as its weakest.

The Build System Is the Attack Surface

The Sonatype 2024 State of the Software Supply Chain report documented over 245,000 malicious packages identified across major registries in a single year. The attack surface has shifted from production infrastructure to the software factory itself. Not the restaurant. The supply chain feeding it.

Most engineering teams trust their CI/CD servers without question. Pipeline says green, ops deploys. Who questions it? Almost nobody. And that implicit trust is the exact architectural gap attackers have figured out how to exploit. The kitchen staff you never background-checked. If an attacker compromises your build runner, they don’t need to steal data directly. They inject a backdoor during compilation. Your own pipeline packages that backdoor, signs it with your corporate certificates, and deploys it to every environment.

The Trust Chain Inversion Attackers compromise a trusted component - build system, package maintainer, CI runner - so their malicious code arrives with legitimate signatures and passes every check. Contamination from inside the kitchen. The security infrastructure validates the trust chain. The attacker became part of the trust chain. Scanners pass it because they were designed for a different threat model entirely.

Five distinct injection points sit between a developer’s commit and production. Five places the ingredients can be tampered with. Traditional security focuses on the endpoints. Supply chain security focuses on the pipeline itself.

Cryptographic Provenance: Proving What You Built

Every artifact your pipeline produces needs cryptographic provenance. The chain-of-custody label. No exceptions, no “we’ll add it later.”

Provenance is a signed attestation proving: this specific source commit (by SHA), compiled by this specific trusted runner (identified by workload identity), using these exact dependency versions (per the SBOM), produced this binary with this specific content hash. The label that says which farm grew the ingredients, which kitchen prepared the food, which recipe was followed. If a deployed container can’t present that provenance chain backed by a valid digital signature, your infrastructure should refuse to run it.

Sigstore’s cosign makes this practical. It adds under 5 seconds per artifact to sign the image and attach the attestation. The signing key can be ephemeral (keyless signing via Fulcio), which removes the key management overhead that historically made artifact signing too painful for teams to bother with. SLSA provides the maturity framework for measuring how far your provenance guarantees extend.

Prerequisites
  1. Build pipeline runs on a managed CI service with workload identity (not shared credentials)
  2. Source commits are GPG-signed or verified through branch protection rules
  3. Dependency lockfile exists and is committed to the repository
  4. Container registry supports OCI artifact attestations
  5. Kubernetes cluster (or equivalent) runs an admission controller able to verify signatures
Secure Pipeline: Signed Commit to Verified DeploySecure Pipeline: Signed Commit to Verified DeployGPG SignedCommit + PRIdentity verifiedEphemeral BuildFresh container per buildNo persistent stateHermetic, reproducibleSBOM + ScanGenerate SBOMCVE scan, license checkSign ArtifactCosign / SigstoreProvenance attachedVerify + DeployAdmission checks signatureOnly signed images deployUnsigned = rejectedEvery link in the chain: signed, scanned, verified. No shortcuts.

SLSA Levels: A Practical Maturity Ladder

SLSA gives you a concrete target for hardening your supply chain step by step. Food safety certification levels. Most organizations start at Level 0 (no provenance at all) and can reach Level 2 within a single quarter of focused platform work.

SLSA LevelProvenance GuaranteeWhat It RequiresEffort
Level 0None. No provenance metadata. You trust the artifact existsNothing. This is the defaultZero
Level 1Build process documented. Provenance metadata exists but unsignedAutomated build + provenance generationLow. Add provenance to existing CI
Level 2Provenance signed by hosted build service. Tamper-evidentHosted CI/CD (GitHub Actions, Cloud Build). Signed provenanceMedium. Migrate to hosted builders if not already
Level 3Hardened build platform. Provenance non-forgeable. Hermetic buildsIsolated build environment, two-person review, reproducible buildsHigh. Requires build infrastructure investment

Most teams should target Level 2. Level 3 is for high-value targets (package registries, critical infrastructure, financial systems).

The jump from Level 0 to Level 2 is the highest-ROI investment. From no label to a certified chain-of-custody. It covers the most common attack vectors (compromised source, unsigned artifacts) and fits cleanly with GitHub Actions, GitLab CI, and most managed CI services. Level 3 requires ephemeral runners. A kitchen that’s built, used once, and demolished. More work, but it closes the SolarWinds-class attack vector where the build system itself is compromised.

Anti-pattern

Don’t: Treat vulnerability scanning as your supply chain security strategy. Scanners check for known-bad patterns in completed artifacts. The food inspector checking the finished dish. They can’t detect backdoors inserted by compromised maintainers or build systems. SolarWinds passed every scanner.

Do: Layer provenance attestation on top of scanning. Sign every artifact. Verify signatures at deploy time. Scanning catches known CVEs. Provenance catches build-time compromise. The inspector and the chain-of-custody label. You need both.

Enforcing Immutable Artifacts

Once an artifact is built and signed, it’s immutable. The tamper-evident seal. The container image tested in staging must be the exact same bytes promoted to production. No recompilation. No rebuilding for different environments.

A surprising number of teams still rebuild for production because “the staging config is different.” The moment you recompile, you’ve created an entirely unverified artifact. It passed no tests. Has no provenance. Repackaging the food in a different box. Nobody tested the new box. Yet you’re deploying it as if it passed everything. Environment configuration belongs in runtime config (environment variables, config maps, secrets), never compiled into the artifact.

The enforcement mechanism: your deployment pipeline verifies the content digest (SHA256) of the container image against the signed attestation before allowing promotion. Checking the seal before accepting delivery. If the digest doesn’t match, the deployment is blocked. Kyverno or OPA Gatekeeper in Kubernetes can enforce this as an admission policy. Your continuous integration and delivery pipeline should treat an unsigned or digest-mismatched artifact exactly the same as a failed test.

Kyverno policy for verifying image signatures and provenance
# Rejects any pod with an unsigned or unattested container image.
# Requires cosign signatures attached during CI.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: verify-image-provenance
spec:
  validationFailureAction: Enforce
  rules:
    - name: check-image-signature
      match:
        any:
          - resources:
              kinds:
                - Pod
      verifyImages:
        - imageReferences:
            - "registry.example.com/*"
          attestors:
            - entries:
                - keyless:
                    issuer: "https://token.actions.githubusercontent.com"
                    subject: "https://github.com/your-org/*"
          attestations:
            - predicateType: "https://slsa.dev/provenance/v1"
              conditions:
                - all:
                    - key: "{{ builder.id }}"
                      operator: Equals
                      value: "https://github.com/your-org/your-repo"

Governing the Dependency Graph

Modern production software runs on layers of open-source dependencies. Hundreds to thousands of transitive packages. Hundreds of ingredient suppliers, each with their own suppliers. Every one of those transitive authors has, in a sense, write access to your production environment.

SBOM makes the full dependency tree visible. The ingredients list. But visibility without enforcement is a dashboard nobody looks at until something explodes. Build a gate, not a dashboard. Dashboards inform. Gates prevent. The ingredients list that actually blocks delivery when something is wrong.

Dependency Governance: SBOM to Policy to RemediationDependency Governance: SBOM to Policy to RemediationSBOM GeneratedEvery build producesfull dependency listPolicy EngineLicense allowlist checkCVE severity thresholdDeprecated pkg blockCompliant: build proceedsViolation: build blockedAuto-PR to update dependencyor add exemption with justificationEvery dependency evaluated. Every violation caught. No unaudited code in production.

Your policy engine should read the SBOM and fail the build when it finds packages from known malicious publishers, unmaintained projects (no commits in 2+ years), dependencies with Critical CVEs where a patch exists, or packages flagged by your security team. Expired ingredients. Recalled suppliers. This dependency governance fits directly into the platform engineering toolchain so enforcement runs on every build with no manual work.

When SBOM enforcement worksWhen it doesn’t
Automated in CI, zero developer frictionManual SBOM review processes
Policy gates block builds with violationsDashboards report but don’t stop deployment
Transitive dependencies included in the scanOnly direct dependencies inventoried
Hash verification alongside version pinningVersion pinning without integrity checks
Exceptions need documented justification with expiryBlanket exceptions that never get revisited

Building the Paved Road

Every control in this article can be a manual checklist. And every manual checklist gets skipped under deadline pressure. Not a discipline problem. A systems design problem. Food safety checklists that nobody fills out when the lunch rush hits.

The only reliable approach: make these capabilities automatic defaults. Developer pushes code. Pipeline signs the commit, generates the SBOM, evaluates dependency policy, compiles in an ephemeral environment, produces a signed attestation, blocks promotion if anything fails. The developer doesn’t think about supply chain security. Doesn’t have to. The safety built into the kitchen equipment. The security practices that actually survive contact with deadline pressure are the ones built into the DevOps pipeline as invisible infrastructure.

ControlEffort to BuildDeveloper FrictionSupply Chain Coverage
Dependency pinning + hash verificationLow (hours)None after setupPrevents silent package substitution
Automated SBOM generationLow (days)None (runs in CI)Full dependency visibility
SBOM policy gate (block on violation)Medium (1-2 weeks)Low (fail-fast feedback)Blocks known-bad dependencies
Artifact signing (Sigstore cosign)Medium (2-4 weeks setup)None (transparent)Proves artifact integrity
Ephemeral build runnersHigh (quarter)None (transparent)Prevents persistent build compromise
Admission controller (reject unsigned)Medium (1-2 weeks)None (enforcement at cluster)Blocks unverified deployments

What the Industry Gets Wrong About Supply Chain Security

“Vulnerability scanning protects the supply chain.” Scanning finds known vulnerabilities in known packages. The food inspector checking for known contaminants. It can’t find backdoors inserted by compromised maintainers, malicious code in build systems, or supply chain attacks that don’t match any CVE signature. Contamination the inspector wasn’t trained to look for. SolarWinds passed every scan. The attack was invisible to scanners by design.

“Pin dependencies and you’re safe.” Pinning prevents accidental upgrades. It doesn’t prevent a compromised registry from serving modified content at the pinned version. Same label. Different contents. Hash verification (integrity checksums) alongside version pinning catches this. Most teams pin without hashing, which addresses half the threat.

Our take Artifact provenance at SLSA Level 2 or higher is the control that addresses supply chain attacks specifically. Not scanning. Not pinning. Cryptographic proof that the artifact was built from the declared source, on the declared runner, with the declared dependencies. The certified chain-of-custody label. Without provenance, you’re trusting the pipeline implicitly. Implicit trust is what supply chain attackers exploit. Get to Level 2 this quarter. Plan Level 3 for the next.

SolarWinds worked because the build system was trusted without question. The kitchen was never inspected. With signed commits, ephemeral build environments, attestation verification, and admission policies that reject unverified artifacts, that trust becomes earned instead of assumed. The paved road doesn’t just make security easier. It makes the SolarWinds attack vector structurally impossible in your pipeline. Every ingredient traced. Every kitchen inspected. Every package sealed.

Build Cryptographic Trust Into Your Delivery Pipeline

If you can’t prove what compiled your production artifacts and verify every dependency, you can’t call your pipeline secure. Provenance attestation, SBOM enforcement, and immutable artifact promotion built into CI/CD are the controls that close the gap.

Harden Your Supply Chain

Frequently Asked Questions

Why are traditional vulnerability scanners insufficient for supply chain security?

+

Scanners check completed artifacts for known vulnerabilities. They can’t verify that the build server was clean, that no malicious code was injected during compilation, or that the source was the commit you intended. The SolarWinds breach passed every scanner because the malware was compiled by the legitimate build system. Provenance verification addresses what scanners can’t: proving the artifact was built exactly as intended.

What is software provenance and why does it matter?

+

Provenance is a cryptographically signed attestation proving which source commit, build environment, and dependency versions produced a specific artifact. Without provenance, you know what your binary contains. With it, you can verify it was built by a trusted runner from verified source with no tampering. Sigstore cosign generates provenance attestations in under 5 seconds per artifact.

How do you manage the risk of third-party open-source dependencies?

+

Generate an automated SBOM for every build, then enforce policy gates that block deployments containing flagged or unsigned transitive dependencies. A typical production application pulls in hundreds to thousands of transitive dependencies, and a large share arrive indirectly through your direct imports. Visibility without enforcement is compliance theater. An SBOM that reports but doesn’t block is a dashboard nobody acts on.

Does cryptographic signing slow down engineering velocity?

+

No, when wired in correctly. Sigstore cosign adds under 5 seconds per artifact to the pipeline. The initial toolchain setup takes 2-4 weeks for a platform team, after which developers never touch signing infrastructure directly. Automated signing, SBOM generation, and provenance attestation run transparently as pipeline steps with near-zero velocity cost after setup.

What is an ephemeral build environment and why does it improve security?

+

An ephemeral build environment spins up a fresh, clean runner for each build and destroys it completely afterward. An attacker who compromises a build runner can’t persist to poison future builds because the runner no longer exists. This removes an entire class of persistent build-time compromise and is needed for SLSA Level 3 provenance guarantees.