PS.1.1: Store all forms of code including source code, executable code, and configuration-as-code based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

Sign build outputs (binaries, containers, SBOMs) and create attestations; verify in CI before promotion.

Require signed commits/tags and reject unsigned in CI to prevent unauthorized code from entering builds.

Issue short-lived certs (Fulcio) and record signatures/attestations in a transparency log (Rekor) to detect/trace tampering.

Emit and sign build provenance; verify who/what/where built the artifact before it can ship.

Define a supply-chain layout and verify each step’s materials/products to ensure nothing was tampered across the pipeline.

Automatically sign task results (images, files) in Tekton pipelines and store attestations (e.g., in Rekor).

Sign OCI artifacts (images, Helm charts) during build for later verification in registries and clusters.

Lock inputs and make builds deterministic so unauthorized changes are detectable by hash/provenance mismatch.

Lock inputs and make builds deterministic so unauthorized changes are detectable by hash/provenance mismatch.

Persist signatures, SBOMs, and policy metadata to audit build integrity across services..

Enforce content trust, robot accounts, and policy on who can push/pull; require signed artifacts before release..

Admission controller that blocks unsigned/incorrectly signed images; enforces key/issuer/subject policies.

Kubernetes policies that require image signatures, pin by digest, and forbid mutable tags in deployments.

Gate deployments with custom policies (e.g., “only signed images from approved registries/namespaces”).

Verifies OCI signatures/attestations (Cosign/Notation) at admission time and blocks anything that fails verification.

Kubernetes admission controller dedicated to verifying container image signatures before scheduling.

Verify signatures/attestations as a release gate in your CD pipeline prior to applying manifests.

Sign binaries, container images, SBOMs, and attestations during build; supports keyless signing.

Sign release tags to cryptographically tie the source to the built artifact.

Fulcio issues ephemeral signing certs; Rekor logs all signatures in a tamper-evident transparency log for downstream verification.

Automatically generate provenance metadata describing build origin, inputs, and process. Validates provenance files to ensure artifact integrity before distribution.

Defines a verifiable software supply chain layout; creates link metadata proving each build step.

Stores metadata (signatures, checksums, SBOMs) so it can be queried for verification.

Create and publish checksums for release artifacts so recipients can manually or automatically verify integrity.

Enforce content trust; ensure only signed images are stored and distributed with policy on who can push/pull; require signed artifacts before release.

Kubernetes admission controller enforcing signature/provenance policies before deployment. Admission controller that blocks unsigned/incorrectly signed images; enforces key/issuer/subject policies.

Kubernetes policies that require image signatures, pin by digest, and forbid mutable tags in deployments. Validates signatures and digests for container images before they are deployed.

Custom admission control to enforce artifact integrity and trusted signer policies.

Pluggable verification framework for OCI registries/images; works with Cosign, Notation, in-toto.

Kubernetes admission controller dedicated to signature verification and image trust policies.

Signs OCI artifacts (containers, Helm charts) and verifies them prior to install or deployment.

Used in CD pipelines or admission hooks to verify signatures and attestations match trusted keys/policies before promotion.

PS.3.1: Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.

PS.3.2: Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).

Create immutable, signed tags for each release; preserves source snapshot for auditing

Store large binary release artifacts alongside source with integrity checks.

OSS Host and version control release artifacts (JARs, binaries, containers) with role-based access and checksum validation.

Archive build outputs in a controlled, versioned repository; supports checksums and retention policies.

Store container images with vulnerability scanning, RBAC, and signed content trust to preserve release integrity. Enforce immutable tags and prevent overwrites so deployed artifacts can always be traced back to the archived copy.

(ORT) Archive SBOMs, license files, and vulnerability reports alongside the release for compliance/audit.

Sign release artifacts before archiving so integrity can be checked later.

Enforce digest-pinned images to ensure deployments always match archived release versions.

Policy enforcement to ensure only archived, approved artifacts are deployed.

Verifies artifact signatures/attestations against archived release metadata before deployment..

Admission controller that enforces deployment of only signed images from the archived se

Long-term archival of deployed artifact versions for rollback or investigation.

Retain build provenance in a transparency log so deployed releases can be cross-verified with archived originals