It has been a big month for supply chain security! GitHub recently announced the public beta for npm package provenance. This adds new functionality to npmjs.com and the npm CLI that allows package maintainers to generate and upload SLSA Build Level 2 provenance along with their packages. Integration with Sigstore enables verification of signature and certificate metadata so users know that the package came from the expected source repository.| SLSA
Answers to questions frequently asked about SLSA.| SLSA
Before diving into the SLSA specification levels, we need to establish a core set of terminology and models to describe what we’re protecting.| SLSA
A comparison of tools to sign/verify Docker images and create image attestations, explaining important concepts & providing tool recommendations.| AugmentedMind.de
Why the buzz? Spotlight on some over-looked approaches| softwareanalyst.substack.com
