Sign in Subscribe

Secure Your Pipeline: Automating SBOMs and Artifact Signing with Syft and Sigstore

Fortify your software supply chain against attacks. Learn how to automate SBOM generation with Syft and artifact signing with Sigstore in your CI/CD pipeline.

Secure Your Pipeline: Automating SBOMs and Artifact Signing with Syft and Sigstore
Photo by Lucas van Oort on Unsplash

In the modern software landscape, code integrity is no longer just about writing bug-free logic; it is about provenance. The ripples of the SolarWinds and Log4j incidents have fundamentally shifted how CTOs and developers view the software supply chain. It is no longer sufficient to secure your production environment; you must secure the factory floor where the software is built.

For IT professionals and decision-makers, the challenge is twofold: visibility and trust. How do you know exactly what libraries are inside your container images? And how can you prove that the image running in your Kubernetes cluster is the exact same one your CI/CD pipeline built? Enter the dynamic duo of Syft and Sigstore.

At Nohatek, we believe that security should be an enabler, not a bottleneck. In this guide, we will explore how to fortify your development lifecycle by automating the generation of Software Bills of Materials (SBOMs) and implementing cryptographic signing for your artifacts.

Commit Virtual 2021: Securing the Software Supply Chain with SBOM and Attestation - GitLab

The Visibility Crisis: Why You Need an SBOM

traffic light with red light
Photo by Ray Reyes on Unsplash

Modern applications are rarely written from scratch. They are assembled like LEGO structures, relying heavily on open-source libraries, frameworks, and base images. While this accelerates development, it creates a massive blind spot. If a vulnerability is discovered in a transitive dependency (a library used by a library you use), how quickly can you identify which of your services are affected?

This is where the Software Bill of Materials (SBOM) becomes critical. An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships. It is essentially the ingredients list on a food package.

The Executive Order 14028 on Improving the Nation’s Cybersecurity explicitly mandates SBOMs for software vendors selling to the US government, setting a standard that the private sector is rapidly adopting.

Without an automated SBOM process, your security team is operating in the dark. Manual tracking is impossible at the speed of DevOps. By integrating SBOM generation into your build pipeline, you transform a compliance headache into a powerful security asset, allowing for near-instant vulnerability mapping when the next zero-day threat emerges.

Automating Inventory with Syft

a black and white photo of a table with legos
Photo by Danny Salazar on Unsplash

To solve the visibility problem, we turn to Syft. Developed by Anchore, Syft is a CLI tool and Go library for generating SBOMs from container images and filesystems. What makes Syft a preferred choice for Nohatek’s engineers is its versatility and depth. It doesn't just look at the OS package manager; it digs into language-specific packages (Python, Go, Java, JavaScript, etc.) to create a comprehensive map of your software.

Syft supports the major industry standard formats: SPDX (Software Package Data Exchange) and CycloneDX. This interoperability ensures that the data you generate can be consumed by vulnerability scanners (like Grype) or governance platforms.

Here is how simple it is to generate an SBOM for a container image:

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# Generate an SBOM in SPDX JSON format
syft packages docker:your-app:latest -o spdx-json > sbom.json

In a CI/CD context, you would run this immediately after building your Docker image. This JSON file becomes an artifact that travels with your release, providing a permanent record of exactly what went into that specific build.

Establishing Trust with Sigstore and Cosign

a closed padlock on a black surface
Photo by Kedibone Isaac Makhumisane on Unsplash

Visibility is step one. Step two is integrity. Even if you scan your image for vulnerabilities, how do you prevent a malicious actor from injecting code into your container between the build server and the production cluster? You need a digital signature.

Historically, signing software was painful. It involved managing GPG keys, securing private keys on hardware tokens, and complex verification chains. Sigstore changes the game by making software signing as easy as using TLS for HTTPS. Specifically, we utilize Cosign, a tool within the Sigstore project designed for container signing.

Cosign allows you to sign a container image and store that signature directly in the OCI registry alongside the image. This means you don't need a separate database to manage signatures. Furthermore, Sigstore supports "keyless" signing, which uses OpenID Connect (OIDC) identities (like your GitHub or Google identity) to sign artifacts, backed by a transparency log.

A typical signing workflow looks like this:

# Generate a key pair (for standard signing)
cosign generate-key-pair

# Sign the image
cosign sign --key cosign.key your-registry/your-app:latest

# Verify the image (in your deployment pipeline)
cosign verify --key cosign.pub your-registry/your-app:latest

By enforcing verification in your Kubernetes cluster (using an admission controller), you can ensure that only images signed by your trusted CI pipeline are ever allowed to run.

The Integrated Workflow: DevSecOps in Action

black and brown checkered textile
Photo by Nick Fewings on Unsplash

The true power of these tools is realized when they are orchestrated together in a pipeline. At Nohatek, we recommend a workflow that treats security metadata as a first-class citizen alongside the application code.

Consider a GitHub Actions or GitLab CI pipeline flow:

  1. Build: The container image is built from the source.
  2. Analyze: Syft scans the image and generates the SBOM.
  3. Attest: Using Cosign, we create an attestation. This attaches the SBOM to the image in the registry, cryptographically signed.
  4. Sign: The image itself is signed to prove its origin.
  5. Deploy: The deployment target verifies the signature before pulling the image.

This creates an immutable chain of custody. You are no longer guessing about the state of your supply chain; you have cryptographic proof. If an audit is required, you can retrieve the SBOM attestation directly from the registry using Cosign:

cosign verify-attestation --key cosign.pub your-registry/your-app:latest

This approach significantly lowers the barrier to entry for robust supply chain security. It automates compliance tasks that used to take days, reducing them to seconds within the build process.

Fortifying the software supply chain is no longer an optional "nice-to-have" for enterprise technology; it is a necessity. By leveraging open-source tools like Syft and Sigstore, you can bring transparency and trust to your development lifecycle without sacrificing velocity.

Automating SBOM generation and artifact signing protects your organization from supply chain attacks, simplifies regulatory compliance, and provides peace of mind that the code running in production is the code you intended to build.

Ready to secure your infrastructure? At Nohatek, we specialize in building resilient, secure cloud architectures and DevSecOps pipelines. Whether you need assistance integrating these tools or architecting a zero-trust environment, our team is here to help you build with confidence.