Month 5-Container Supply Chain: SBOM, Vulnerability Scanning, Signing, SLSA¶
Goal: by the end of week 20 you can (a) generate accurate SBOMs (Syft), (b) scan for CVEs (Grype, Trivy) and triage findings, (c) sign images and verify with cosign, and (d) target SLSA Level 3 in your build pipeline.
Weeks¶
- Week 17 - Software Bill of Materials (SBOM)
- Week 18 - Vulnerability Scanning: Grype, Trivy, Clair
- Week 19 - Signing and Verification: Cosign, Sigstore
- Week 20 - SLSA, Provenance, and Reproducibility