Things like Infrastructure as Code, Service Discovery and Config Management can and have helped us to quickly build and rebuild infrastructure but we haven't nearly spend enough time to train ourselves to review, monitor and respond to outages.

With the the introduction of CI/CD best practices into our day to day workflows we protect ourselves for introducing "bad" code into production and exposing flaws to our (end-)users. But what about influences from bad actors in- and out-side our projects. This talk will focus on the additional steps we can add to our build pipelines to also protect ourselves to so called supply chain attacks while running our application platforms. We ll discuss scanning for vulnerabilities in incoming code, packages and images and signing the content artefacts we trust before exposing them to our users.