Trusted Supply Chain

Their nervousness is justified: a forged message is already an attempted breach. Gord's answer is the security principle itself — reduce exposure and avoid untrusted intermediaries.

To protect your supply chain:

• Use trusted registries only.
• Verify images with signatures.
• Require SBOMs for transparency.
• Minimize third-party services that can observe, alter, or leak your workflows.

Using Böhler's omnibus is convenient, but it introduces an untrusted intermediary who could compromise their plans. This is similar to introducing third-party libraries or services into your software supply chain, which can introduce vulnerabilities.

Exercise

1. What are your criteria for choosing third-party libraries into your projects?
2. How do you integrate these libraries into your code? Do you always wrap them with your own abstraction layer?
3. Do you use private registries for your container images?
4. Learn more about Sigstore and how to sign and verify container images.