On May 11, 2024, attackers injected 84 malicious versions across 42 @tanstack packages into the npm registry, all bearing valid SLSA Level 3 signatures, by hijacking TanStack's CI/CD workflow through a Pwn Request, cache poisoning, OIDC token extraction, and rapid release, exposing a critical supply‑chain vulnerability.
This article explains how to strengthen Kubernetes supply‑chain security by using SLSA Source Track, the Notary Project’s Ratify tool, and policy engines like Gatekeeper to automatically generate, attach, and verify attestation proofs for OCI images before they are deployed to production clusters.
This article examines the core applications of Software Bill of Materials (SBOM) and the SLSA framework across vulnerability response, license compliance, merger due‑diligence, and container image integrity, quantifies their return on investment, and showcases real‑world implementations by leading tech firms, highlighting how they enhance enterprise security, operational efficiency, and competitive advantage.
The article explains software supply chain security by describing how source code becomes artifacts, the role of hashes and digital signatures, and how frameworks like SLSA and Sigstore provide attestations and trusted signing to ensure provenance and protect against tampering.
This article explains how to generate and verify software artifact provenance with the Witness framework in non‑GitHub ecosystems, covering installation, key creation, configuration, running, signing, and policy verification to achieve higher SLSA levels.
This article demonstrates how to apply the SLSA (Supply chain Levels for Software Artifacts) framework to the Python ecosystem by building clean packages, generating provenance statements, uploading them to PyPI, and verifying the package origin using GitHub Actions and the slsa‑verifier tool.
This article translates Google's SLSA framework paper, explaining software supply chain threats, the four SLSA levels, mitigation strategies, a provenance generation example, and concluding with its impact on software security, while also noting related DevOps certification offerings.
This article explains what an SBOM (Software Bill of Materials) is, its purpose for software supply‑chain visibility and risk management, compares it with SLSA and Black Duck, outlines best‑practice recommendations, and lists popular tools for generating SBOMs.
This article explains what a Software Bill of Materials (SBOM) is, compares it with SLSA and Black Duck, outlines best practices for creating and maintaining SBOMs, and reviews popular tools for generating SBOMs to improve software supply chain security.
This article explains the SLSA (Supply chain Levels for Software Artifacts) framework, outlines common software supply‑chain threats, details the four SLSA levels and their requirements, discusses limitations, and reviews tools such as OpenSSF Scorecard, slsa‑verifier and Sigstore for improving software artifact integrity.
The article explains why software supply chain security is increasingly critical, introduces the SLSA (Supply‑Chain Levels for Software Artifacts) framework and its three trust boundaries, outlines common risk points from code commit to package distribution, and discusses mitigation strategies such as mandatory code review, robot‑account controls, and automation.
The 2022 Accelerate State of DevOps report, based on surveys of 33,000 professionals, reveals that software delivery performance, operational reliability, and organizational culture—especially high‑trust, low‑blame environments—drive organizational outcomes, while secure software supply chain practices such as SLSA and NIST SSDF further boost performance and reduce burnout.
