Practical Supply Chain Security: Implementing SLSA Compliance from Build to Runtime - E. Allamel

Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon Europe in London from April 1 - 4, 2025. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at https://kubecon.io

Practical Supply Chain Security: Implementing SLSA Compliance from Build to Runtime - Enguerrand Allamel, Ledger

Securing the software supply chain can feel overwhelming, especially with dynamic frameworks like SLSA (Supply-chain Levels for Software Artifacts). This beginner-friendly session on software supply chain security explores practical strategies to secure your software from build to runtime.

We will utilize GitHub Actions, implement Cosign for seamless artifact signing without managing keys, and apply Kyverno for enforcing runtime policies. Additionally, you will learn how to use in-toto and Kubescape to verify and maintain artifact integrity effectively. To further bolster security, we will briefly explore integrating Hardware Security Modules (HSMs) into your workflow, providing a robust layer for key management.

By the end of this talk, you will have actionable insights and a clear understanding of how to achieve SLSA compliance within the CNCF ecosystem.