Fortifying the Software Supply Chain: Automating SBOM Generation and Image Signing with Syft and Cosign
Secure your CI/CD pipeline against supply chain attacks. Learn how to automate SBOM generation with Syft and container signing with Cosign in this comprehensive guide.
In the wake of high-profile security incidents like the SolarWinds breach and the Log4j vulnerability, the phrase "Software Supply Chain Security" has migrated from niche DevSecOps discussions to the boardroom agendas of major enterprises. For CTOs and tech decision-makers, the reality is stark: it is no longer sufficient to secure just your production environment; you must secure the entire factory floor that builds your software.
Modern cloud-native development relies heavily on containers and open-source dependencies. While this accelerates innovation, it creates a massive, often opaque attack surface. If you cannot verify exactly what libraries are inside your container images, or guarantee that the image running in your Kubernetes cluster is the exact same one your CI pipeline built, you are operating with unacceptable risk.
At Nohatek, we believe that security should be an enabler, not a bottleneck. In this guide, we will explore a practical, automated approach to hardening your delivery pipeline using two powerful open-source tools: Syft for generating Software Bills of Materials (SBOMs) and Cosign for container image signing. By integrating these tools, organizations can establish a verifiable chain of custody for their software artifacts.
The Strategic Imperative: Why SBOMs and Signing Matter
Before diving into the technical implementation, it is crucial to understand the strategic value of these components. The days of treating container images as "black boxes" are over. Regulatory bodies and industry standards (such as the US Executive Order 14028) are increasingly mandating transparency in software delivery.
The Role of the SBOM (Software Bill of Materials)
An SBOM is effectively a list of ingredients for your software. It details every package, library, and dependency included in your build. Without an SBOM, when the next critical vulnerability is announced, your security team is left guessing. With an SBOM, you can instantly query your entire software estate to answer the question: "Which of our services are using the vulnerable version of this library?"
Transparency is the prerequisite for trust. You cannot secure what you cannot see, and you cannot trust what you cannot verify.
The Role of Image Signing
While an SBOM tells you what is in the box, image signing proves that the box hasn't been tampered with. In a typical attack vector, a bad actor might inject malicious code into a container image between the build stage and the deployment stage. Cryptographic signing ensures that the container registry rejects any image that does not bear your organization's digital signature, guaranteeing the integrity of your workload.
Deep Dive: Automating Transparency with Syft
Syft, developed by Anchore, is a CLI tool and Go library for generating SBOMs from container images and filesystems. It is favored in the DevSecOps community for its speed, accuracy, and ability to inspect deep into container layers.
Syft supports multiple output formats, including SPDX, CycloneDX, and its own JSON format. For enterprise integration, standardization on SPDX or CycloneDX is recommended as these are easily ingested by vulnerability scanners and compliance tools.
Implementing Syft
Using Syft is straightforward. In a local environment, you can generate an SBOM for a Docker image with a single command:
# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Generate an SBOM in SPDX JSON format
syft packages docker:nohatek/my-app:latest -o spdx-json > sbom.jsonThis command inspects the `nohatek/my-app:latest` image, catalogues the operating system packages (APK, DEB, RPM) and language-specific dependencies (Go modules, Python pip, Java JARs, NPM packages), and outputs the data to `sbom.json`. This file should be stored as a build artifact alongside your container image, creating a permanent record of the build's composition.
Ensuring Integrity: Signing Images with Cosign
Once we have documented the contents of our image, we must seal it. Cosign is part of the Sigstore project, an initiative under the OpenSSF (Open Source Security Foundation) to improve software supply chain security. Cosign makes container signing, verification, and storage in OCI (Open Container Initiative) registries accessible and user-friendly.
Key Management vs. Keyless Signing
Cosign supports two primary modes: managing your own private/public key pairs, or "keyless" signing using OpenID Connect (OIDC) identities. For organizations just starting, managing a long-lived key pair is often the easiest way to grasp the concepts, though keyless signing is the future of automated identity.
Signing an Image
Here is how you can generate a key pair and sign an image:
# 1. Generate a key pair (creates cosign.key and cosign.pub)
cosign generate-key-pair
# 2. Sign the container image pushed to your registry
# You will be prompted for the password for your private key
cosign sign --key cosign.key nohatek/my-app:latestOnce signed, the signature is stored in the registry alongside the image. This allows your Kubernetes cluster (using an admission controller like Kyverno or OPA Gatekeeper) to verify the signature before pulling the image.
# Verify the signature using the public key
cosign verify --key cosign.pub nohatek/my-app:latestIf the verification fails, it means the image has been modified or the signature is invalid, and the deployment should be blocked immediately.
Putting It Together: A Secure CI/CD Pipeline
The true power of these tools is realized when they are automated within your CI/CD pipeline (e.g., GitHub Actions, GitLab CI, or Jenkins). Manual signing is not scalable; security must be code.
Below is a conceptual example of how to integrate Syft and Cosign into a GitHub Actions workflow. This workflow builds the image, generates the SBOM, pushes the image, and finally signs it.
name: Secure Build Pipeline
jobs:
build-and-sign:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# Build the Docker Image
- name: Build Docker Image
run: docker build -t ghcr.io/nohatek/app:${{ github.sha }} .
# Generate SBOM with Syft
- name: Generate SBOM
uses: anchore/sbom-action@v0
with:
image: ghcr.io/nohatek/app:${{ github.sha }}
artifact-name: sbom.spdx.json
# Log in to Registry
- name: Login to GitHub Container Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Push Image
- name: Push Image
run: docker push ghcr.io/nohatek/app:${{ github.sha }}
# Install Cosign
- uses: sigstore/cosign-installer@main
# Sign the Image
- name: Sign the images
run: |
cosign sign --key env://COSIGN_PRIVATE_KEY ghcr.io/nohatek/app:${{ github.sha }}
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}By implementing this workflow, every single deployment is accompanied by a bill of materials and a cryptographic seal of approval. This moves security from a reactive "scan and patch" process to a proactive "verify and trust" model.
Fortifying the software supply chain is no longer optional; it is a critical component of modern operational resilience. By leveraging tools like Syft for visibility and Cosign for integrity, organizations can construct a defense-in-depth strategy that protects against tampering and accelerates vulnerability management.
However, implementing these tools is just the first step. The broader challenge lies in integrating them into a cohesive cloud strategy, managing keys securely, and configuring admission controllers to enforce these policies in production.
Ready to elevate your security posture? At Nohatek, we specialize in helping companies navigate the complexities of Cloud, AI, and DevSecOps. Whether you need to audit your current pipeline or build a secure supply chain from the ground up, our team is ready to assist.