Implement SLSA Level 3 Supply-Chain Security: Sigstore Cosign, Rekor, Kyverno & GitHub Attestations

• 100 % of containers + Helm charts signed & verified ( Cosign ).
• Immutable transparency log ( Rekor ) for every build.
• Kyverno policies block unsigned/unsafe images in <200 ms.
• GitHub native SLSA attestations ( L3 ) generated automatically.

 Deep-Dive Scope

• Sigstore Stack Deployment
  • Private Rekor ( Helm ) on EKS with RDS Postgres & S3 bucket for immutable entries.
  • Fulcio root-CA ( Google OIDC ) → short-lived x509 certs for keyless signing
  • CTLog ( certificate transparency ) for extra audit trail.
• Keyless Signing Pipeline
  • GitHub Actions job:
    • Build multi-arch image → generate SPDX SBOM ( Syft ).
    • Cosign sign with Fulcio + upload attestation to Rekor.
    • Publish signed image + SBOM to GHCR.
• Policy Enforcement (Kyverno)
  • ClusterPolicy: verify-image-signature → REJECT if signature missing or ** Rekor UUID invalid**.
  • Policy: require-sbom → deny admission if SPDX layer absent.
  • Policy: max-cve-count-5 → block if Trivy scan >5 MEDIUM.
• SLSA L3 Evidence
  • GitHub native .attestation file stored alongside release assets.
  • Provenance JSON includes: source repo, builder ID, entryPoint, parameters.
  • Signed with GitHub OIDC token → no long-lived keys.
• Compliance Reporting
  • SLSA conformance report ( JSON ) uploaded to auditor SharePoint.
  • Pen-test scoped to supply-chain ( SSCS ) → zero findings.

Senior Artifacts

• GitHub Actions reusable workflow ( signed + attested ) for all repos.
• Kyverno policy library ( YAML ) + test scenarios ( kuttl ).
• Rekor transparency log backup ( S3 Glacier ) 7-year retention.
• Board-level slide deck: risk before → after, ROI, audit pass.

Why C-Suite Insists on Senior Talent

• Sigstore core contributor + SLSA technical advisory group member.
• Carried 2 IPO-bound companies to SLSA L3 without release velocity loss.
• 60-day continuous compliance monitoring ( shared Slack ).