Interview › Security & DevSecOps
What is supply-chain security, and what is SLSA? [Intermediate]
Answer
Supply-chain security protects the integrity of software from source code through build, dependencies, artifacts, deployment, and runtime. SLSA is a framework that defines increasing levels of build integrity, provenance, and tamper resistance for software artifacts.
Technical explanation
Supply-chain controls include branch protection, dependency review, reproducible or isolated builds, artifact signing, provenance, SBOMs, and deployment verification.
SLSA helps teams mature from basic provenance generation to stronger build isolation and tamper-resistant provenance.
The goal is to prove what was built, from which source, by which builder, and whether it was modified after the build.
Hands-on example
Hands-on design: protected main branch -> CI builds in an isolated runner -> generate SBOM and SLSA provenance -> sign image digest -> store attestations -> Kubernetes admission verifies signature/provenance before allowing deploy.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]