You’ve started to shift security left in order to catch security issues earlier in development, but are you using trusted, verified open source software components when writing your code? Are you signing your code commits and image builds so deployment tooling and processes can verify authenticity with auditable components? In this session, we discuss steps to trust – but verify – the same open source software packages you have come to rely on. You will see how to stay ahead of regulatory and compliance standards and leave this talk with a deeper understanding of how to:Access a curated content repository library with provenance and attestations that are maintained to SLSA standardsIdentify source code transitive dependencies and vulnerabilities for both in-house and COTS applications from a local IDEUse Project sigstore’s Fulcio keyless feature to sign code commits with Project sigstore’s GitSign to sign images as well as store the attestations of the build pipelineVerify code commits with Project sigstore’s GitSign, for keyless git signing. Then with Project sigstore’s Cosign & Rekor immutable ledger validate the artifact metadataManage, monitor and analyze relationships with your security metadata (SBOMs, VEXs) using Graph for Understanding Artifact Composition (GUAC)