Software Supply Chain Security: Why 99% of Your Container is Mystery Code

A single line — `FROM node:latest` — can pull in 19,000 files and over 1,000 vulnerabilities, yet most developers treat base images as mere packaging. The real fix isn't scanning at the end of the pipeline; it's changing the ingredients. Software supply chain security requires three pillars working together: provenance (who built it and how), attestation (cryptographic signing), and introspection via a full SBOM. SLSA Level 3 compliance provides cryptographic proof that an image was built from a known commit and hasn't been tampered with. For platform enforcement, Kubewarden — a CNCF sandbox admission controller — can block unsigned or untrusted images from reaching production. Switching from `node:latest` to a SUSE-maintained trusted base image dropped 1,004 CVEs to zero with a single line change.