While there's a lot of emphasis on supply chain security, there's been little work done to help make it easy to operationalize. The SLSA standard gives good guidance on levels of maturity, but the tooling has been slower to follow.

In this talk, we'll show how to leverage Chalk to both capture build provenance and do build attestation with Sigstore, in a way that you can deploy to entire build systems transparently without needing to change most build pipelines.