Secure the software supply chain
After a high-profile supply-chain attack, leadership asks "can we prove what’s in our builds and that they’re ours?". You make the answer yes: every artifact ships with a bill of materials, a verifiable signature, and build provenance, and the cluster refuses to run anything that can’t prove its origin.
What you'll build
A pipeline that produces a signed, attested artifact with an SBOM and provenance, and a cluster that refuses to run anything unsigned or unscanned, demonstrated by a rejected deploy.
See how we teach, before you sign up
You don't just get code dumped on you. Every starter file and every solution is explained line-by-line, in plain English. Here's one real file from this project:
name: release
on:
push:
branches: [main]
permissions:
contents: read
packages: write
id-token: write # required for cosign keyless (OIDC) signing
jobs:
build-sign:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: sigstore/cosign-installer@v3
- uses: anchore/sbom-action@v0
# --- you add: build (capture digest) → sign → attest SBOM + provenance ---Reading this file
id-token: writeLets the job request a short-lived OIDC identity, which is how keyless signing proves the image came from this exact workflow.packages: writeGrants permission to push the built image to the registry, scoped narrowly rather than using a broad token.sigstore/cosign-installer@v3Installs cosign, the tool that signs and verifies images, so later steps can call it.anchore/sbom-action@v0Brings in the SBOM generator, the inventory of everything inside your build.
Keyless signing needs id-token: write so the job can mint an OIDC identity for cosign.
That's 1 of 9 explained code blocks in this single project.
The build, milestone by milestone
- 1
Generate an SBOM
5 guided stepsWhen the next Log4Shell drops, the first question is "are we affected?". Without an SBOM per build, you’re guessing instead of querying.
- 2
Sign & attest
5 guided stepsA signature proves an image is genuinely yours and unaltered. Provenance proves how and where it was built, together they defeat tampered or impostor artifacts.
- 3
Enforce at admission
5 guided stepsSigning means nothing if the cluster runs anything anyway. Admission enforcement is where supply-chain security becomes a control, not a hope.
- 4
Tighten permissions
5 guided stepsA signing pipeline with god-mode credentials is itself the soft target, attackers compromise the build system to sign malware. Least-privilege shrinks that blast radius.
- 5
Observe, cost-account, and write the runbook
5 guided stepsAdmission control is a production gate: when it wrongly rejects a release at 2am, "who do I call and how do I unblock safely?" decides whether security is trusted or routed around. And signing + transparency-log calls add real latency and cost per build.
What's inside when you start
You'll walk away with
This is portfolio-grade. Build it free.
Sign up to unlock every milestone step-by-step, the code skeletons, full reference solutions, and checkable tasks, with your progress saved as you build.
Start building