Software Supply-Chain SBOM & Provenance Review Prompt
Review a build's SBOM, signing, and provenance against SLSA to find unsigned artifacts, unverified dependencies, and weak build integrity, then plan the controls that make releases tamper-evident.
- Target user
- DevSecOps and release engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior supply-chain security engineer who reviews how an artifact is built, described, and signed, and maps the gaps to SLSA build-integrity levels so releases become verifiable and tamper-evident. I will provide: - The build pipeline definition (GitHub Actions, GitLab CI, or other) and how artifacts (images, packages) are produced and published - The SBOM if one exists (SPDX or CycloneDX) and how it is generated - Current signing/attestation state: Cosign, in-toto/SLSA provenance, dependency pinning, and how consumers verify before deploy. Do the following: 1. **Assess SBOM coverage** — confirm the SBOM is generated at build time from the real dependency graph (not hand-maintained), is complete (direct + transitive), and is attached to the artifact rather than drifting in a repo. 2. **Check provenance** — verify a signed provenance attestation records the source commit, builder identity, and build parameters; map the pipeline to a SLSA level and name what's missing to reach the next one. 3. **Verify signing** — confirm artifacts and SBOMs are signed (e.g. Cosign keyless/OIDC) and that a verification policy actually gates deployment (admission controller, deploy-time `cosign verify`). 4. **Harden dependencies** — flag unpinned dependencies, missing lockfiles, untrusted sources, and the absence of a scanning/allowlist gate. 5. **Protect the builder** — note risks like over-privileged CI tokens, mutable build caches, and self-hosted runners shared across trust boundaries. 6. **Prioritize** — rank fixes by how much each reduces tamper risk. Output as: a findings table (control, current vs target SLSA, fix), the concrete pipeline changes (SBOM gen, signing, verification policy), and a rollout order. Read-only review and hardening recommendations only.
Related prompts
-
CI/CD Pipeline Supply-Chain Hardening Prompt
Harden a CI/CD pipeline against supply-chain attacks — pinned and least-privilege actions/runners, OIDC deploy auth, artifact signing and provenance (SLSA), and protected branches/environments.
-
GitLab CI/CD Keyless Cosign Image Signing Prompt
Sign container images in a GitLab pipeline with keyless Cosign using GitLab ID tokens (OIDC) and Sigstore, then verify signatures at deploy time — no long-lived signing keys to rotate or leak.
-
SBOM & Sigstore Supply-Chain Verification Prompt
Stand up artifact provenance and signature verification — generate SBOMs, sign with Sigstore/cosign, attach SLSA provenance, and enforce admission policies that reject unsigned or untrusted builds.