✉️ In Today’s Edition

When your CI pipeline builds an image and pushes it to your registry, how do you know that image actually came from your source code?

For most teams, there is no way to prove it. Everyone just trusts the image build pipeline.

Attackers make use of this trust and compromise the build system rather than attacking a hardened production cluster.

We have seen this happen multiple times.

  • TanStack npm Attack (2026)

  • The SolarWinds attack (2020)

  • The tj-actions GitHub Actions compromise (2025) and more..

In all these cases, attackers targeted the build and delivery process rather than the application itself.

This is exactly the problem SLSA is designed to solve.

SLSA helps answer important questions such as,

  • Was the image built from the expected source code?

  • Was it built on a trusted CI platform and not on someone's laptop?

  • Was the build process tampered with?

  • Can we verify where the artifact came from?

In today's edition, I will cover:

  • What is SLSA

  • What is SLSA provenance

  • SLSA trust levels

  • How to implement SLSA in your CI/CD pipeline

  • Verifying provenance in Kubernetes with admission policies

  • Real supply chain attacks (Case studies)

and more..

What is SLSA?

The software supply chain is the complete path software takes from source code to production that includes source repositories, CI/CD pipelines, dependencies, container images, registries, and deployment platforms

SLSA stands for Supply Chain Levels for Software Artifacts (pronounced "salsa").

It was introduced by Google's security team in June 2021. It was inspired by Google's internal Binary Authorization for Borg system, which has been protecting production workloads inside Google for almost a decade. In fact, Google requires all production workloads to follow this security model.

SLSA is a software supply chain security framework from OpenSSF that measures how trustworthy your build process is.

The obvious question is,

How can the trustworthiness of a build process be measured?

Well SLSA does it through provenance. It is a signed document that records things like the following.

  • Which repository the code came from

  • Which exact commit was used

  • Which CI system ran the build

  • Which workflow or pipeline file triggered it

  • The exact timestamps of when it started and finished

💡 The literal meaning of provenance is, the place of origin or the complete, verifiable history of ownership and custody of an item

Now lets look at the provenance document in detail.

Provenance Document

A provenance document is a JSON file that describes your build, who built it, how, and when.

The following image shows an example Provenance document.

The provenance document gets wrapped inside a larger document called an in-toto statement, then the whole thing is signed. The final signed document is known as an attestation.

At this point, two obvious questions come up:

  • How is the provenance generated during the build process?

  • Where is the provenance stored after the build is complete?

Lets understand both.

How CI/CD Pipelines Generate SLSA Provenance

In most projects, container images are built and published through CI/CD pipelines. Since the CI system performs the build, it is also responsible for generating the provenance document.

Then it is stored in your container registry, right next to your image. When your image is pushed to ECR, GCR, or Docker Hub, the provenance is pushed alongside it as an OCI attachment.

This means any system (eg, Kubernetes) that pulls the image can also retrieve and verify its provenance.

The following diagram shows how SLSA works in a typical CI/CD pipeline.

Here is how it works:

  • The developer pushes code to a source code repository like GitHub.

  • A build platform like GitHub Actions picks it up and builds the artifact

  • During the build, the build platform automatically generates a provenance document describing how the artifact was created.

  • And, the artifact and the provenance are pushed to an artifact registry together.

  • Before deployment, the end user systems can verify the provenance to ensure the artifact came from the expected source repository, trusted builder, and build process.

Important Note: CI tools like GitHub Actions auto-generates the provenance document from the build context from the commit SHA, workflow file, runner identity, timestamps and attaches it to your image automatically.

Next we will look at the important concepts called SLSA trust levels.

SLSA Trust Levels

SLSA defines different levels of trust for the image build process.

It helps teams to implement security gradually instead of trying to do everything at once. As you move up the levels, the build becomes more secure and harder to tamper with.

Also, these levels provides a way to showcase your software supply chain security to customers, auditors, and regulators as well.

Lets look at each levels.

L0: No Guarantees

This is where most software projects start. There is no provenance, no verification, and no way to prove where an artifact came from.

L1: Provenance Available

At this level, the build system generates provenance for every artifact. The provenance is not yet strongly protected against tampering, but it provides an audit trail.

L2: Signed Provenance

The build runs on a hosted CI platform such as GitHub Actions, GitLab CI etc. The platform generates and signs the provenance. In this level, forging provenance is harder because an attacker would need to compromise the CI platform itself rather than a developer workstation.

L3: Hardened Build

Level 3 introduces strong protections against build system tampering. It has two key requirements.

  • Isolation. Builds run in isolated, ephemeral environments. One build cannot influence another. There will be no persistent CI agent or runners.

  • Unforgeable provenance. The build process cannot access the keys or mechanisms used to generate provenance. This means, your build script physically cannot fake its own provenance.

Enforcing Provenance Verification in Kubernetes

Provenance is useless if nobody checks it.

You need to enforce it in your Kubernetes cluster to ensure, only verified images gets deployed.

With tools like Kyverno, you can block any image that does not have a valid provenance as illustrated in the image below.

Start Here

If you're new to SLSA, don't worry about achieving Level 3 overnight.

Start with Level 1.

Simply generating provenance for your builds gives you visibility into how your artifacts are created and provides a foundation for stronger supply chain security.

From there, you can gradually adopt signed provenance, hardened builds, and runtime verification.

👨‍💻 Implementing SLSA Level 3 with GitHub Actions (Hands-On)

If you are on GitHub Actions, you can achieve SLSA Level 3 today using the official slsa-github-generator. It uses a trusted reusable workflow that runs separately from your build job, so your build steps never touch the signing material.

The following image illustrates the GitHub Actions SLSA workflow.

If you want to try this setup, we have a detailed hands on guide where you can learn the following.

  • How to create an SLSA Provenance for a container image using GitHub Actions.

  • How to verify a SLSA Provenance file

  • And what happens if the SLSA Provenance verification fails

👉 Detailed Guide: SLSA Provenance Workflow using GitHub Actions

📚 Real supply chain attacks (Case Studies)

Here are three supply chain incidents every DevOps engineer should know.

1. Recent Incident (2026): TanStack npm Supply Chain Attack

In May 2026, attackers compromised multiple TanStack npm packages by abusing GitHub Actions and publishing malicious package versions. The malware targeted developer machines and CI/CD pipelines, attempting to steal GitHub tokens, cloud credentials, SSH keys, and other secrets.

2. SolarWinds (2020)

Attackers compromised the build server itself. The malicious SUNBURST code never existed in source control. It was injected during compilation, then signed with the official SolarWinds certificate and shipped to ~18,000 organizations, including US government agencies. The source code was clean. The build was not.

3. Codecov (2021)

Attackers modified the Codecov bash uploader script that thousands of CI pipelines downloaded with curl | bash. For nearly two months, the script silently collected and exfiltrated environment variables from CI jobs. This included cloud credentials, API tokens, access keys, and other secrets stored in build environments.

4. tj-actions/changed-files (2025)

A widely used GitHub Action was compromised. The malicious version dumped CI runner memory and leaked secrets from 23,000+ repositories into public build logs. The root cause was simple. Many workflows trusted a mutable action reference (for example, @v44)instead of pinning to a specific commit.

The Common Pattern

You will notice a common pattern in these attacks. Attackers rarely target production systems first. Instead, they target the software supply chain. The build system, CI/CD pipeline, or build dependencies.

Once the build process was compromised, every artifact produced by it became untrustworthy.

This is exactly the problem SLSA is designed to solve. It provides a verifiable record of where, how, and by whom an artifact was built, making it much harder for attackers to tamper with the software supply chain without being detected.

Reply

Avatar

or to participate

Keep Reading

© 2026 DevOpsCube.
beehiivPowered by beehiiv