CNCF On demand webinar: Keys to building trusted software in cloud native pipelines

CNCF Online Programs

September 28, 2023 at 7:00 AM UTC – September 29, 2023 at 7:00 AM UTC

Virtual event

About this event

You’ve started to shift security left in order to catch security issues earlier in development, but are you using trusted, verified open source software components when writing your code? Are you signing your code commits and image builds so deployment tooling and processes can verify authenticity with auditable components?

In this session, we discuss steps to trust – but verify – the same open source software packages you have come to rely on. You will see how to stay ahead of regulatory and compliance standards and leave this talk with a deeper understanding of how to:

Access a curated content repository library with provenance and attestations that are maintained to SLSA standards

Identify source code transitive dependencies and vulnerabilities for both in-house and COTS applications from a local IDE

Use Project sigstore’s Fulcio keyless feature to sign code commits with Project sigstore’s GitSign to sign images as well as store the attestations of the build pipeline

Verify code commits with Project sigstore’s GitSign, for keyless git signing. Then with Project sigstore’s Cosign & Rekor immutable ledger validate the artifact metadata

Manage, monitor and analyze relationships with your security metadata (SBOMs, VEXs) using Graph for Understanding Artifact Composition (GUAC)


  • Michelle DiPalma

    Red Hat

    Principal Product Manager

  • Veda Shankar

    Red Hat

    Senior Principal Product Manager, Cloud Data Services


  • Ihor Dvoretskyi

    Cloud Native Computing Foundation


  • Kristi Tan



  • Chris Aniszczyk

    Linux Foundation (CNCF)


  • Libby Schulze