BlogCI/CD

Attesting builds with SLSA provenance in CI

Generate an SBOM and signed SLSA provenance for every build, attach them with cosign, and prove exactly where an artifact came from when auditors ask.

Jun 3, 2025·11 min readAdvanced

After log4shell, the question every team could not answer fast was simply: where do we run this? An SBOM (software bill of materials) plus signed provenance answers it — a verifiable record of what is in each artifact and how it was built. SLSA is the framework that formalizes the provenance part.

From build to verifiable artifact
1
Build
produce the image
2
SBOM
syft -> components
3
Sign
cosign keyless
4
Attest
provenance attached

Generate the SBOM in CI

bash
syft "$IMAGE" -o cyclonedx-json > sbom.json
grype sbom:sbom.json --fail-on high

Attach signed provenance

bash
# keyless signing via the CI OIDC identity
cosign attest --yes \
--predicate sbom.json \
--type cyclonedx \
"$IMAGE"
bash — verify at deploylive
cosign verify-attestation --type cyclonedx "$IMAGE"
attestation verified — signer identity + SBOM intact
Triage in minutes, not days
With SBOMs stored per image, the next critical CVE is a query across your artifacts — not a week of grepping Dockerfiles.
Go deeper in a courseSoftware supply chain securitySBOMs, SLSA provenance, signing, and admission verification.View course

Related posts