SLSA has been in its 1.0 version for a year and a half, and the ecosystem has had time to adopt it. A review of what works, what still hurts, and where it makes sense to start.
Read moreSLSA v1.0: a mature framework for the software supply chain
Tag: slsa
Practical DevSecOps with Sigstore and cosign
Signing images and artifacts with Sigstore is no longer exotic. How to integrate cosign into a real pipeline without turning signing into empty ritual.
Read moreSLSA Level 3: Hardening the Software Supply Chain
SLSA v1.0 defines four maturity levels for software supply chain. L3 is achievable and justifies the investment for many teams.
Read moreSupply-Chain Attacks: Lessons from 2023
Incidents like MOVEit, 3CX, and PyPI reveal clear patterns in supply-chain attacks. How to reduce risk in 2023.
Read more