Tag: Supply chain

All the articles with the tag "Supply chain".

• 

  SLSA Level 2: what build provenance is and why it isn't SBOM

  16 Jun, 2026

  SLSA Level 2 in practice: how build provenance differs from an SBOM, why L2 is a realistic target, how the GitLab Runner itself generates a non-forgeable attestation, and how to verify it with glab/cosign and at admission.

• 

  Keyless image signing: Sigstore and cosign in CI

  12 Jun, 2026

  Keyless container image signing with Sigstore: cosign, Fulcio and Rekor sign artifacts against your CI's OIDC identity with no long-lived keys. We walk the flow, the pitfalls, and a minimal GitLab CI pipeline with admission-time verification.