← Back to all episodes
Securing the Software Supply Chain with Trivy: A Shift-Left Approach
DevSecOps Cloud Security Kubernetes Platform Engineering CI/CD IaC
EP AI 2026-06-30

Securing the Software Supply Chain with Trivy: A Shift-Left Approach

In this episode, we dive into the world of software supply chain security, exploring how Trivy can be used for vulnerability management, and delving into SBOMs, SLSA, and container image signing. Join us as we discuss the integration of these tools in CI pipelines and the importance of shift-left security practices. From Kubernetes to IaC, we'll cover the essential tools and frameworks for securing your enterprise's software supply chain.

Speakers: daniel, diana
00:00
00:00
Download Audio

Show Notes

This episode covers the use of Trivy for scanning containers, Kubernetes, and IaC code, as well as the generation of SBOMs using CycloneDX and SPDX. We also discuss the SLSA framework, including levels and attestation, and explore container image signing with Cosign and Sigstore. Additionally, we touch on In-toto attestation chains, OCI reference types for attaching SBOMs, and integration with CI pipelines using GitHub Actions and GitLab. For further reading, check out the Trivy documentation and the SLSA framework website. Referenced tools include Trivy, CycloneDX, SPDX, Cosign, Sigstore, and In-toto.

Key Takeaways

  • Use Trivy to scan containers, Kubernetes, and IaC code for vulnerabilities
  • Generate SBOMs using CycloneDX and SPDX for improved software supply chain visibility
  • Implement SLSA framework levels and attestation for secure software development
  • Prioritize vulnerabilities using EPSS and CISA KEV for effective risk management
  • Integrate Trivy and other security tools into CI pipelines for shift-left security practices

Listener Comments (0)

Join the Discussion

No comments yet. Be the first to share your thoughts!

Topic Pillars

DevSecOps|Cloud Security|Kubernetes|Platform Engineering|CI/CD|IaC #SLSA #Trivy #SBOM #Software Supply Chain Security #Vulnerability Management #Shift-Left Security

Related Discussions