As supply chain initiatives drove the need for distributing detached signatures for container images and signed SBOM, reference types are required to supplement the information to the OCI registry. With the support of referrers API in OCI v1.1 Spec, it becomes extremely easy to associate software supply chain artifacts with container images in content distribution. It also allows policy tools like Kyverno to consume the supply chain artifact’s data for security checks pre-deployment.

Modern Kubernetes deployments contain multiple applications, clusters, and environments, especially in large organizations. How to verify the image integrity, security, and compliance to manage applications at scale?

In this session, Feynman Zhou and Shuting Zhao will showcase how you can establish trust for container images and verify resources using CNCF projects like Notary, Kyverno, and ORAS. They will demonstrate how to implement these tools in GitOps to improve software supply chain security.