We check ingredients on food labels as we care about what we consume. But when it comes to software, do you get the same level of transparency? Can you know every component used to build a software? How sure are you that the list of components is untampered with?

In this talk, we’ll explore how the Software Bill of Materials (SBOMs) can be attested to provide a tamper proof list of libraries, tools, and processes used to develop, build, and deploy a software.

We’ll dive into how we can integrate Syft in a Tekton pipeline to generate accurate, tamper-proof Software Bill of Materials (SBOMs) using in-toto attestations. Attested SBOM will be attached to the container image using cosign. You’ll also learn how to verify container images for accurate untampered SBOMs using Enterprise Contracts.

We will demonstrate security in a sample application’s CI pipeline. We’ll make the content available in a git repository, giving attendees ready-to-use examples to implement in their projects.