Home DevOps Jenkins Supply Chain Security: SBOM, Cosign & SLSA Gotchas
Advanced ✅ Tested on Jenkins 2.440+ | CycloneDX Plugin 1.0+ | Cosign 2.0+ 5 min · 2026-07-09

Jenkins Supply Chain Security: SBOM, Cosign & SLSA Gotchas

Production guide to SBOM generation via CycloneDX plugin, Cosign signing, SLSA levels in Jenkins.

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.

Follow
Production
production tested
July 09, 2026
last updated
230
articles · all by Naren
Before you start⏱ 30 min
  • Deep devops experience in a production environment
  • Familiarity with debugging, profiling, and performance analysis
  • Understanding of distributed systems and failure modes
 ● Production Incident 🔎 Debug Guide ⚙ Triage Commands
Quick Answer
  • Generate SBOMs with CycloneDX plugin for Maven/Gradle builds; attach as build artifacts.
  • Sign artifacts with cosign sign-blob using keyless OIDC (Fulcio) and store signatures in OCI registry.
  • Achieve SLSA Level 2+ by generating provenance attestations (in-toto) and verifying signatures in deploy pipelines.
  • Use supply-chain-levels plugin to score your pipeline and track SLSA compliance.
  • Block unsigned artifacts in deployment with cosign verify; integrate Docker Content Trust for image signing.
  • Integrate with GitHub/GitLab OIDC for attestation; store all metadata in Rekor transparency log.
  • Common failures: missing SBOM after rebuild, expired ephemeral keys, Rekor search failures.
✦ Definition~90s read
What is Jenkins Supply Chain Security?

Supply chain security in Jenkins ensures that every artifact produced is accompanied by a Software Bill of Materials (SBOM) listing all dependencies, a cryptographic signature (Cosign) verifying the artifact's origin, and a provenance attestation (in-toto) that meets SLSA levels. The CycloneDX plugin generates SBOMs in CycloneDX or SPDX format.

Imagine you're ordering a custom-built PC.

Cosign, part of Sigstore, signs artifacts with ephemeral keys via OIDC (keyless mode) and stores signatures in OCI registries. The SLSA framework defines levels (1-4) of build integrity; Jenkins pipelines can achieve Level 2+ by generating signed provenance and verifying it in deployment.

Plain-English First

Imagine you're ordering a custom-built PC. You want a list of every component (SBOM), a tamper-proof seal on the box (Cosign signature), and a certificate that the factory followed strict assembly standards (SLSA). Without these, someone could swap a malicious part. In Jenkins, we generate the component list automatically, sign the build outputs, and record every step so that when the software reaches production, we can verify nothing was tampered with.

I once spent a weekend debugging a production incident where a compromised Jenkins node injected malicious code into a Java artifact. We had no SBOM to trace dependencies, no signature to verify integrity, and no provenance to prove the build process. The attacker had modified a transitive dependency and the artifact passed all tests. That incident cost us 48 hours of downtime and a painful post-mortem. Since then, I've implemented supply chain security in every Jenkins pipeline I touch. This guide covers the exact tools and practices: CycloneDX for SBOM, Cosign for signing, and SLSA framework for attestation. These are not just buzzwords—they are the difference between a secure pipeline and a breach waiting to happen.

1. Generating SBOM with CycloneDX Plugin in Jenkins

The CycloneDX plugin for Jenkins integrates with Maven and Gradle builds to generate Software Bill of Materials (SBOM) in CycloneDX or SPDX format. Install the plugin, then configure a post-build action to generate SBOM. For Maven, add the CycloneDX Maven plugin in pom.xml or use the Jenkins plugin's built-in Maven integration. Example pipeline step: cyclonedxBom outputFormat: 'json', outputName: 'bom'. The SBOM lists all direct and transitive dependencies, including versions and licenses. Store the SBOM as a build artifact for later verification. In production, we attach the SBOM to the release and upload it to a repository like Artifactory. Common gotcha: The plugin must run after dependency resolution, otherwise the SBOM will be empty. Use mvn dependency:tree to verify dependencies are resolved before SBOM generation.

Production Insight
Always regenerate SBOM on every build; never reuse from previous builds. Dependencies can change even with same code.
Key Takeaway
SBOM is your inventory; without it, you can't know what's in your software.
jenkins-supply-chain-security diagram 1 Supply Chain Pipeline SBOM → Sign → Attest → Verify → Deploy Build Artifact JAR | Docker image SBOM Generation CycloneDX | SPDX Sign Artifact cosign sign-blob Upload to Rekor Sigstore transparency log SLSA Provenance in-toto attestation Verification Gate cosign verify Deploy [Verified] Block unsigned | Alert THECODEFORGE.IO
thecodeforge.io
Jenkins Supply Chain Security

2. Signing Artifacts with Cosign (Keyless Mode)

Cosign supports keyless signing using OIDC (OpenID Connect) identity from Jenkins. The identity flows through Fulcio (certificate authority) to issue an ephemeral signing certificate. The signature and certificate are stored in an OCI registry (e.g., Docker Hub, GCR). Jenkins pipeline: cosign sign-blob --oidc-issuer https://token.actions.githubusercontent.com --output-certificate cert.pem --output-signature sig.pem <artifact>. Then upload the signature and certificate to the registry: cosign attach signature --signature sig.pem --cert cert.pem <oci-image>. Production tip: Use a dedicated OCI registry for signatures, separate from the artifact registry. Keyless mode eliminates the need to manage long-lived keys. However, ensure the OIDC token from Jenkins is valid; tokens expire quickly. Use the withEnv step to set ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL for GitHub Actions integration.

Production Insight
Keyless signing reduces key management overhead but requires OIDC provider availability. Cache tokens to avoid rate limits.
Key Takeaway
Keyless signing is production-ready; it leverages ephemeral certificates tied to the build identity.

3. SLSA Framework Levels in Jenkins

SLSA (Supply-chain Levels for Software Artifacts) defines four levels of build integrity. Level 1: Build process must be scripted and produce provenance. Level 2: Provenance must be signed and generated by a build service (e.g., Jenkins). Level 3: Provenance must be non-forgeable (e.g., signed with ephemeral keys) and hardened build platform. Level 4: Two-person review of changes and hermetic builds. In Jenkins, achieve Level 2 by generating signed provenance using in-toto attestations. Use the supply-chain-levels plugin to score your pipeline. For Level 3, ensure the build runs in isolated containers (e.g., Kubernetes pods) with no manual steps. Level 4 requires source control with branch protection and mandatory code review. Example: supply-chain-levels score --level 2 to check compliance.

Production Insight
Start with Level 2; it's achievable with Cosign signing and provenance generation. Level 3 requires significant infrastructure changes (ephemeral build agents).
Key Takeaway
SLSA levels are a roadmap; Level 2 is a good baseline for most organizations.
jenkins-supply-chain-security diagram 2 Signature Chain Developer → Cosign → Rekor → Verification Developer Signs cosign sign-blob --key Fulcio OIDC Token Keyless signing Signature to Rekor Transparency log entry Check Rekor Entry rekor-cli search Verify Artifact cosign verify-blob Provenance Check Match signer identity THECODEFORGE.IO
thecodeforge.io
Jenkins Supply Chain Security

4. Cosign sign-blob and verify Commands

cosign sign-blob signs a file (artifact) and outputs a signature and certificate. cosign verify-blob verifies the signature against the artifact. Example: cosign verify-blob --cert cert.pem --signature sig.pem app.jar. For container images, use cosign sign and cosign verify. Production usage: In the deployment pipeline, verify the artifact before deployment. Use cosign verify-blob --key <key> app.jar if using key-based signing. For keyless, the verification automatically checks the certificate chain against Fulcio and Rekor. Common gotcha: The --cert and --signature flags must point to the correct files. Use cosign tree to see all signatures on an image. Example: cosign tree docker.io/myorg/myapp:latest lists all signatures and attestations.

Production Insight
Always verify artifacts in the deployment pipeline, not just in the build pipeline. This prevents deployment of tampered artifacts.
Key Takeaway
Sign and verify as close to deployment as possible.

5. Generating SPDX/CycloneDX During Maven/Gradle Builds

For Maven, add the CycloneDX Maven plugin: mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom. For Gradle, apply the org.cyclonedx.bom plugin. The plugin generates a bom.json or bom.xml file containing all dependencies. In Jenkins, run this step after mvn clean install to ensure all dependencies are resolved. Production tip: Store the SBOM in a central repository (e.g., Artifactory) with a unique version tag. Use the SBOM for vulnerability scanning with tools like Grype or Trivy. Example pipeline: sh 'mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom -DoutputFormat=json -DoutputName=bom'. For SPDX, use the SPDX SBOM plugin or convert CycloneDX to SPDX using a tool.

Production Insight
Integrate SBOM generation into the build lifecycle; don't treat it as an afterthought. Use a consistent naming convention (e.g., bom-${BUILD_NUMBER}.json).
Key Takeaway
Automate SBOM generation; manual SBOMs are error-prone and rarely updated.

6. Storing Signatures in OCI Registries

Cosign stores signatures in OCI registries as separate tags or in the same repository as the artifact. Use cosign attach signature to attach a signature to an existing image. Alternatively, use cosign sign which automatically pushes the signature to the registry. The signature is stored as an OCI artifact with a predictable tag (e.g., sha256-<digest>.sig). Production tip: Use a dedicated registry for signatures (e.g., sigregistry.example.com) to separate from artifacts. This avoids clutter and allows different access controls. Ensure the registry supports OCI artifacts (most do). Example: cosign sign --key key.pem --tlog-upload=false docker.io/myorg/myapp:latest pushes signature to docker.io/myorg/myapp:sha256-...sig. Use cosign copy to copy signatures between registries.

Production Insight
Storing signatures in the same registry as artifacts is convenient but can lead to namespace pollution. Use separate repositories or registries for production.
Key Takeaway
OCI registries are the standard for storing signatures and attestations.

7. Cosign Keyless Mode with OIDC, Fulcio and Rekor Transparency Log

Keyless mode uses OIDC to authenticate the signer. Jenkins obtains an OIDC token from its identity provider (e.g., GitHub, GitLab, or Jenkins itself). The token is presented to Fulcio, which issues a short-lived certificate. The signature and certificate are uploaded to Rekor, a transparency log, providing an immutable record. To use keyless mode, set environment variables: COSIGN_EXPERIMENTAL=1 (in older versions) or configure OIDC provider. The command cosign sign-blob --oidc-issuer <issuer> app.jar triggers the flow. Verification automatically checks Rekor for the signing certificate. Production gotcha: Rekor may be slow or unavailable; consider using a private Rekor instance for reliability. Also, OIDC tokens expire, so ensure the pipeline step is not too long.

Production Insight
Keyless mode is the future of signing; it eliminates key management. However, rely on Rekor's availability; have a fallback verification method.
Key Takeaway
Keyless signing with Fulcio and Rekor provides non-repudiation and transparency.

8. Attesting Pipeline Artifacts with In-Toto Attestations

In-toto attestations provide a signed statement about the build process (e.g., source repository, build command, builder identity). Cosign supports creating in-toto attestations with cosign attest. The attestation is stored as an OCI artifact. Example: cosign attest --predicate predicate.json --key key.pem docker.io/myorg/myapp:latest. The predicate file contains SLSA provenance. Use the slsa-generator tool to generate the predicate. In Jenkins, generate the predicate in a stage and then attest. Verification: cosign verify-attestation --key key.pem docker.io/myorg/myapp:latest. Production tip: Attestations should include the pipeline ID, build timestamp, and source commit. This enables auditability and meets SLSA Level 2+ requirements.

Production Insight
Attestations are more valuable than signatures alone because they provide context about how the artifact was built.
Key Takeaway
In-toto attestations are the backbone of SLSA provenance.

9. Verifying Signatures in Deployment Pipelines

Deployment pipelines must verify signatures and attestations before deploying. Use cosign verify-blob for files or cosign verify for container images. Example: cosign verify --key public-key.pem docker.io/myorg/myapp:latest. For keyless verification, the command automatically checks Fulcio and Rekor. If verification fails, the pipeline should fail. Production scenario: A deployment pipeline that pulls an artifact from a registry, verifies it, then deploys. If verification fails, the pipeline stops and alerts the team. This prevents deployment of tampered or unsigned artifacts. Use a dedicated verification step that runs before any deployment action. Integrate with Docker Content Trust for additional image signing.

Production Insight
Verification is only effective if it blocks deployment. Configure the pipeline to abort on verification failure.
Key Takeaway
Deploy only verified artifacts; make verification a hard gate.

10. Blocking Unsigned Artifacts with Pipeline Gates

To block unsigned artifacts, add a gate in the deployment pipeline that checks for a valid signature. Use cosign verify and if it fails, the pipeline fails. Additionally, use the supply-chain-levels plugin to enforce a minimum SLSA score. Example: supply-chain-levels check --min-level 2. If the score is below 2, fail the pipeline. Another approach: Use a webhook or policy agent (e.g., OPA) to evaluate attestations before deployment. Production tip: Implement a 'break glass' mechanism to bypass the gate in emergencies, but log all overrides. Common gotcha: Ensure the verification key is securely stored (e.g., Jenkins credential store) and rotated regularly.

Production Insight
Gates are only as good as their enforcement. Use automated checks that cannot be bypassed without explicit approval.
Key Takeaway
Blocking unsigned artifacts is a critical control against supply chain attacks.

11. Docker Content Trust Integration

Docker Content Trust (DCT) uses Notary to sign and verify images. In Jenkins, enable DCT by setting environment variable DOCKER_CONTENT_TRUST=1. This forces docker push and docker pull to sign and verify images. To sign an image, use docker trust sign. DCT uses a local delegation key; store the key in Jenkins credential store. Example: withEnv(['DOCKER_CONTENT_TRUST=1']) { sh 'docker push myorg/myapp:latest' }. DCT is an alternative to Cosign for container images; however, Cosign is more flexible and supports keyless mode. Production tip: Use both DCT and Cosign for defense in depth. DCT ensures image integrity at the Docker client level, while Cosign provides attestation and Rekor transparency.

Production Insight
DCT is simpler but less feature-rich than Cosign. Use Cosign for new setups, but maintain DCT for legacy pipelines.
Key Takeaway
Docker Content Trust is a good addition but should not be the sole signing mechanism.
jenkins-supply-chain-security diagram 3 SLSA Levels Explained Supply-chain Levels for Software Artifacts SLSA L1: Provenance Build process documented SLSA L2: Tamper Resistance Signed provenance SLSA L3: Hardened Builds Hermetic, no network SLSA L4: Maximum Two-person review THECODEFORGE.IO
thecodeforge.io
Jenkins Supply Chain Security

12. Integrating with GitHub/GitLab for Attestation

GitHub and GitLab can act as OIDC providers for Cosign keyless signing. In Jenkins, use the GitHub OIDC token from the GitHub context (e.g., ACTIONS_ID_TOKEN_REQUEST_TOKEN). For GitLab, use the GitLab OIDC token. Example: cosign sign-blob --oidc-issuer https://gitlab.com --oidc-client-id <client-id> app.jar. The attestation ties the artifact to the source repository and pipeline run. For SLSA, the provenance should include the repository URL and commit SHA. Use the slsa-github-generator or slsa-gitlab-generator to generate provenance. Production tip: Ensure the OIDC token has the correct audience; misconfiguration leads to verification failures.

Production Insight
Integrating with source control OIDC provides a strong link between code and artifact.
Key Takeaway
OIDC integration with GitHub/GitLab is key to achieving SLSA Level 3+.
● Production incidentPOST-MORTEMseverity: high

The Case of the Missing SBOM and the Silent Backdoor

Symptom
Production crash after deployment; suspicious outbound connections from app server.
Assumption
The artifact was built from trusted source code; no need for SBOM.
Root cause
A compromised Jenkins plugin downloaded a malicious version of Log4j from a mirror. The build did not generate an SBOM, so the malicious dependency was undetected.
Fix
Enabled CycloneDX plugin to generate SBOM for every build; stored SBOM alongside artifact. Implemented Cosign signing and verification to ensure artifact integrity. Added dependency scanning against SBOM.
Key lesson
  • Always generate SBOM and sign artifacts.
  • Without them, you are blind to supply chain attacks.
Jenkins Supply Chain Security: Feature Comparison
featurecosigndocker_content_trustin-toto
Signing MechanismKeyless (OIDC+Fulcio) or key-pairNotary keysNo built-in signing; uses Cosign or GPG
SBOM Format
Transparency Log
SLSA Level SupportLevel 2+ with attestationsLevel 1 (signature only)Level 2+ with provenance
Key ManagementDelegation keys
Jenkins Plugin
📦 Downloadable Quick Reference

Print-friendly master reference covering all topics in this track.

⇩ Download PDF

Key takeaways

1
Always generate SBOM for every build; it's your dependency inventory.
2
Use Cosign keyless mode to sign artifacts; it eliminates key management.
3
Store signatures in OCI registries; separate from artifact registry if possible.
4
Achieve SLSA Level 2 by generating signed provenance attestations.
5
Verify signatures in deployment pipelines; block unsigned artifacts.
6
Integrate with GitHub/GitLab OIDC for strong identity binding.
7
Use Rekor transparency log for auditability.
8
Start small (Level 2) and iterate; don't aim for Level 4 immediately.

Common mistakes to avoid

6 patterns
×

Generating SBOM before dependency resolution

Symptom
SBOM shows only project dependencies, no transitive dependencies
Fix
Run mvn dependency:resolve or mvn install before SBOM generation
×

Using long-lived keys for Cosign and storing them in Jenkins credentials without rotation

Symptom
Key compromise leads to ability to sign malicious artifacts
Fix
Use keyless mode or rotate keys regularly with automated scripts
×

Not verifying signatures in deployment pipeline

Symptom
Unsigned or tampered artifacts deployed to production
Fix
Add cosign verify step before deployment
×

Ignoring Rekor transparency log entries

Symptom
No audit trail for signed artifacts
Fix
Always upload to Rekor and monitor logs for unexpected entries
×

Setting SLSA level target too high without infrastructure readiness

Symptom
Pipeline fails due to unmet requirements (e.g., no isolation)
Fix
Start with Level 2 and gradually improve
×

Using Docker Content Trust without proper key management

Symptom
Lost delegation keys cause inability to push images
Fix
Backup keys securely and use Cosign as primary signing tool
INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01SENIOR
How would you achieve SLSA Level 2 in a Jenkins pipeline?
Q02JUNIOR
Explain the difference between Cosign keyless and key-pair signing.
Q03JUNIOR
How does Rekor transparency log help in supply chain security?
Q04SENIOR
What is the role of Fulcio in the Sigstore ecosystem?
Q05JUNIOR
How would you block deployment of unsigned artifacts in Jenkins?
Q06SENIOR
Describe a production incident where missing SBOM caused a security issu...
Q07SENIOR
How do you integrate GitHub OIDC with Cosign in Jenkins?
Q08SENIOR
What are the limitations of Docker Content Trust compared to Cosign?
Q01 of 08SENIOR

How would you achieve SLSA Level 2 in a Jenkins pipeline?

ANSWER
Generate a signed provenance attestation using in-toto (via Cosign attest) that includes the build process, source repository, and builder identity. Store the attestation in an OCI registry. Use the supply-chain-levels plugin to validate.
FAQ · 8 QUESTIONS

Frequently Asked Questions

01
What is the difference between CycloneDX and SPDX?
02
Can Cosign sign non-container artifacts?
03
Do I need a public Rekor instance?
04
How does SLSA Level 3 differ from Level 2?
05
What is the supply-chain-levels plugin?
06
How do I rotate Cosign keys?
07
Can I use Cosign with Jenkins without OIDC?
08
What happens if Rekor is down during signing?
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.

Follow
Verified
production tested
July 09, 2026
last updated
230
articles · all by Naren
🔥

That's Jenkins. Mark it forged?

5 min read · try the examples if you haven't

Previous
Jenkins Security Best Practices
32 / 39 · Jenkins
Next
Jenkins Backup and Restore