Supply Chain Policies

Supply Chain Policies enable organizations to enforce integrity, authenticity, and compliance controls across their software artifacts. These policies ensure that container images and workloads deployed into your environment originate from trusted sources and have not been tampered with.

Overview

Supply Chain Policies in Sysdig Secure provide security controls that help you validate the trust and integrity of software artifacts before they are deployed into your Kubernetes or OpenShift environments.
These policies are designed to help you verify that artifacts such as container images, SBOMs, and other workload components:

Originate from trusted build systems or registries.
Have not been modified after publication.
Comply with organizational and regulatory requirements for software provenance and integrity.

Sysdig’s Supply Chain Policies form the foundation for enforcing your software supply chain security posture.

Prerequisites

Kubernetes Workloads

Before enabling Supply Chain Policies, ensure that the Sysdig Shield chart is installed on your Kubernetes clusters.

See Install Shield on Kubernetes for deployment instructions.
Verify that the supply_chain feature is enabled in your Cluster Shield configuration.

features:
  supply_chain:
    enabled: true

Goals

Objective	Description
Integrity	Validate that images and artifacts have not been altered from their intended state.
Authenticity	Ensure that artifacts are signed by trusted publishers, CI/CD systems, or registries.
Compliance	Enforce adherence to enterprise and regulatory requirements for software provenance and chain-of-custody.

Supported Policy Types

At present, the following policy type is supported:

Image Signature Validation

The Image Signature Validation policy enforces that only container images with valid digital signatures are admitted into your Kubernetes clusters. Signatures can be verified through:

Public Key validation (using PEM-encoded public keys).
OIDC Provider validation (e.g., GitHub Actions, Red Hat Trusted Artifact Signer, Google, AWS STS, Microsoft Entra ID, or any compatible Sigstore implementation).

This policy operates at the Admission Control stage via the Sysdig Admission Controller. It prevents unsigned or tampered images from being deployed, ensuring supply chain integrity before workloads are scheduled to run.

Example Use Cases

Require that all production workloads use images signed by your organization’s CI/CD pipelines.
Prevent deployment of unsigned or third-party images.
Enforce that only artifacts signed by approved OIDC providers are admitted into the cluster.
Establish a baseline for software provenance and compliance across Kubernetes workloads.