With the complexity of Software Development, securing the software supply chain has never been more critical and it becomes crucial with the Cyber Resilience Act (CRA).

Join Kairo De Araujo as he guides you through essential CNCF and OpenSSF projects designed to address software supply chain security challenges. You'll discover in-toto (https://in-toto.io/), a framework that provides provenance attestation allowing traceability and verification of your software's journey from development to deployment, augmented by tools like Witness and Archivista for enhanced artifact provenance and monitoring. You'll also explore The Update Framework (TUF) (https://theupdateframework.io/) and Repository for TUF (RSTUF) (https://rstuf.org/), powerful frameworks for secure software distribution that ensure the integrity and authenticity of distributed software, attestations and SBOMs. These proven solutions have been successfully implemented by private organizations including Datadog, Lockheed Martin, and GitHub, as well as major open source projects like PyPI, NPM, and RubyGems. As a maintainer of these projects, Kairo will demonstrate how you can implement these tools to safeguard your software supply chain, reduce risks, and enhance SDLC trust. Expect actionable insights, hands-on examples, and a clear roadmap for integrating these solutions into your existing workflows.