SecureBuild
DocsSupply Chain Security
Docs/Supply Chain Security

Supply Chain Security

SecureBuild strengthens your container supply chain by building images from verified source, generating SBOMs, and signing images and attestations. This page explains how each piece fits together.

Source Verification

Every image is built from source code fetched from official repositories. SecureBuild verifies integrity before building:

  • SHA256 checksum validation of source artifacts

Builds run on isolated, ephemeral VMs with a minimal base environment, so there is no persistent state between builds.

Software Bill of Materials (SBOM)

Each image includes a Software Bill of Materials so you can see exactly what is inside. SecureBuild generates SBOMs in SPDX format, including:

  • Packages and versions
  • License information
  • Dependency relationships
  • Runtime dependencies

SBOMs are stored as OCI artifacts and can be accessed via your registry (e.g. using the referrers API or the dashboard).

Image Signing

Images are signed with Sigstore/Cosign. You can verify them with either key-based or keyless verification, depending on how your deployment is configured:

  • Key-based: use cosign verify --key <public-key> <image-ref> with the public key for your environment.
  • Keyless: use cosign verify with --certificate-oidc-issuer and --certificate-identity. The exact values are shown in the SecureBuild dashboard for your images.

The image reference should be the full registry path (e.g. <registry-host>/<repo>:<tag>) that you use to pull the image.

Attestations

Build attestations are produced as DSSE envelopes and can include the SBOM as a predicate. They are stored as OCI artifacts alongside the image. You can download and verify them with:

cosign download attestation --predicate-type=https://spdx.dev/Document <image-ref>
cosign verify-attestation --type https://spdx.dev/Document <options> <image-ref>

The same keyless or key-based options used for image verification apply to attestation verification. Check the dashboard for the exact commands for your registry and identity.

Summary

Together, verified source, SBOMs, signing, and attestations give you a clear record of what was built, from what source, and how to verify it. For the full flow from patch detection to delivery, see How It Works.

How It WorksVulnerability Reporting

Command Palette

Search for a command to run...