BlogCI/CD
Attesting builds with SLSA provenance in CI
Generate an SBOM and signed SLSA provenance for every build, attach them with cosign, and prove exactly where an artifact came from when auditors ask.
After log4shell, the question every team could not answer fast was simply: where do we run this? An SBOM (software bill of materials) plus signed provenance answers it — a verifiable record of what is in each artifact and how it was built. SLSA is the framework that formalizes the provenance part.
1
Build
produce the image
2
SBOM
syft -> components
3
Sign
cosign keyless
4
Attest
provenance attached
Generate the SBOM in CI
bash
syft "$IMAGE" -o cyclonedx-json > sbom.jsongrype sbom:sbom.json --fail-on high
Attach signed provenance
bash
# keyless signing via the CI OIDC identitycosign attest --yes \--predicate sbom.json \--type cyclonedx \"$IMAGE"
cosign verify-attestation --type cyclonedx "$IMAGE"attestation verified — signer identity + SBOM intactTriage in minutes, not days
With SBOMs stored per image, the next critical CVE is a query across your artifacts — not a week of grepping Dockerfiles.