Security & Supply Chain

Engineering notes and deep-dives on Security & Supply Chain, with practical examples and lessons from experience.

Note 16.06.2026 ≈ 4 min

Cyber Resilience Act: why you need an SBOM by September 2026, not 2027

Everyone is watching December 2027, but vulnerability reporting starts a year earlier — and you cannot report what your inventory cannot list.
Read
Note 11.06.2026 ≈ 3 min

SLSA L0–L3 and provenance: a chain of trust from commit to admission

An SBOM tells you «what's inside», a signature tells you «who signed». Between them sits provenance — «how it was built». After SolarWinds that's the question admission has to ask.
Read
Note 01.06.2026 ≈ 5 min

DevSecOps in five stages: from secret-scan to admission policy

Five CI stages with exit-code 1 plus a cluster-side admission gate — the only pattern under which DevSecOps actually blocks production instead of running as a green-checkmark ritual.
Read