https://muhammadamal.my.id/tags/supply-chain/ Recent content in Supply-Chain on Hi, I'm Muhammad Amal Hugo en-us Wed, 24 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/supply-chain-security-ai-models-signing-and-sbom/ Wed, 24 Sep 2025 09:00:00 +0700 https://muhammadamal.my.id/blog/supply-chain-security-ai-models-signing-and-sbom/ How to sign models, produce SBOMs that mean something for ML, and verify everything at runtime without slowing your team down. https://muhammadamal.my.id/blog/container-image-signing-cosign-sigstore-2024/ Mon, 28 Oct 2024 09:00:00 +0700 https://muhammadamal.my.id/blog/container-image-signing-cosign-sigstore-2024/ A working guide to signing container images with cosign and Sigstore, including keyless signing and Kubernetes admission enforcement. https://muhammadamal.my.id/blog/slsa-provenance-build-attestations/ Mon, 25 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/slsa-provenance-build-attestations/ Pragmatic SLSA v1.0 provenance with GitHub Actions and Cosign — what Level 2 actually delivers, and the operational lift to reach Level 3. https://muhammadamal.my.id/blog/sbom-syft-cyclonedx-pipeline/ Mon, 11 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/sbom-syft-cyclonedx-pipeline/ Producing accurate SBOMs with Syft and CycloneDX 1.5, the gaps you will not see, and how to attach them as signed attestations. https://muhammadamal.my.id/blog/sigstore-cosign-keyless-signing/ Thu, 07 Sep 2023 09:00:00 +0700 https://muhammadamal.my.id/blog/sigstore-cosign-keyless-signing/ Production-grade keyless container signing with Cosign 2.2 and Sigstore — the OIDC trust chain, Rekor verification, and air-gap caveats.