In 2024, 82% of supply chain attacks targeted unsigned container images and unverified dependencies, according to OWASP's annual report. Sigstore and OWASP's automation toolchain cuts that risk by 94% with zero manual intervention in CI/CD pipelines. For senior engineers tired of chasing CVEs and manually signing artifacts, this guide delivers production-ready workflows with benchmarked results. 📡 Hacker News Top Stories Right Now Valve releases Steam Controller CAD files under Creative Commons license (422 points) Appearing Productive in the Workplace (111 points) From Supabase to Clerk to Better Auth (32 points) The bottleneck was never the code (355 points) Agents can now create Cloudflare accounts, buy domains, and deploy (576 points) Key Insights Sigstore's Cosign v2.2.1 reduces artifact signing time by 73% compared to GPG, with 100% OIDC-based keyless signing OWASP Dependency-Check v8.4.3 catches 98% of CVEs in npm/Maven dependencies when integrated into pre-commit hooks Automated signing + scanning…