A useful container supply-chain baseline does not require an enterprise platform. Start by tying each image to a source revision, producing an SBOM, recording build provenance, and reviewing those artifacts before deployment.
What does each artifact prove?
An SBOM describes components present in an image. Provenance describes how an artifact was built and what source or workflow produced it. A signature can help verify integrity and publisher identity. None of these alone proves that an image is vulnerability-free or safe to run.
Minimum workflow
- Build from a reviewed source revision.
- Record an immutable image digest.
- Generate an SPDX- or CycloneDX-compatible SBOM.
- Produce provenance through the build system.
- Store artifacts with the image or registry metadata.
- Review critical findings and provenance before deployment.
- Keep the deployed digest and review decision traceable.
This complements Docker signing and provenance and should be connected to the Compose deployment inventory, not kept as a separate spreadsheet.
Avoid compliance theater
Do not block every deployment on an unreviewed scanner count. Define which findings require action, who accepts risk, how exceptions expire, and what evidence is retained. A small, repeatable gate is better than an elaborate process nobody follows.
Sources
- SPDX: https://spdx.dev/
- CycloneDX: https://cyclonedx.org/
- SLSA: https://slsa.dev/
- Sigstore: https://www.sigstore.dev/