DevSecOps
Supply Chain Security
2 articles from official documentation
Practitioner2 articles
securitysupply chainPractitioner
Keyless Signing with Sigstore: Simplifying Artifact Security
Keyless signing revolutionizes how we secure software artifacts by tying signatures to identities instead of cryptographic keys. This method leverages short-lived certificates and a transparency log to ensure authenticity without the headache of key management. Dive in to understand how it works and what you need to watch out for in production.
- →Understand keyless signing as a method that ties signatures to identities instead of keys.
- →Use Fulcio to obtain short-lived certificates that bind your identity to a public key.
5 min read·Sigstore Docs
Read article securitysupply chainPractitioner
Understanding SLSA Levels: Securing Your Supply Chain
Supply chain security is critical, and SLSA levels provide a structured approach to ensure artifact integrity. The build track is key, defining how trustworthy your package artifacts are based on their provenance. Dive in to learn how to leverage this for robust security.
- →Understand provenance to know who built your artifacts and how.
- →Use the build track to assess the trustworthiness of your package artifacts.
5 min read·SLSA Docs
Read article