After SBOM and Cosign comes Provenance. Issue SLSA Build L3 provenance with slsa-github-generator and verify it with slsa-verifier, end to end on real machines.
A complete teardown of the SLSA specification. We dissect the threat model, Build and Source track requirements, Provenance structure, and the verification flow with diagrams.
