Beyond SBOMs: The Future of Container Supply Chain Security

When a single phished NPM maintainer led to 18 compromised libraries—including Chalk and Debug, downloaded billions of times weekly—it proved one thing: SBOMs alone aren’t enough.

In this talk at DevOpsDays Zurich 2026, I explore how modern supply-chain attacks unfold and how the next generation of tools—attestations, provenance, and signing—can prevent a repeat of the September 2025 NPM breach.

Key Takeaways

• 🧠 Understand how the 2025 NPM supply-chain attack happened—and why traditional SBOMs couldn’t stop it.
• 📦 Pin & lock dependencies to prevent malicious updates from sneaking in.
• 🧱 Generate, sign, and verify attestations using Docker Scout + Cosign + Rekor.
• 🔒 Adopt zero-trust build pipelines with SLSA levels + OCI 1.1 referrers.
• 🧰 Defend proactively with seven practical strategies: block lifecycle scripts, use hardware keys, and continuously scan with Snyk / Trivy / Scout.
• 🚀 Turn compliance into confidence by making your entire container lifecycle verifiable.

The session combines deep technical demos with hard-won lessons from the largest NPM attack ever—and insights from my book Docker and Kubernetes Security—turning supply-chain horror stories into actionable DevSecOps practices.