Chaos and Order

Chaos and Order https://www.youngju.dev/blog 천천히 올바르게. AI Researcher & DevOps Engineer Youngju's tech blog. GPU/CUDA, LLM, MLOps, Kubernetes AI workloads, distributed training, and data engineering. ko fjvbn2003@gmail.com (Youngju Kim) fjvbn2003@gmail.com (Youngju Kim) Sat, 16 May 2026 00:00:00 GMT https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.en Software Supply Chain Security 2026 — Sigstore, SLSA, SBOM (CycloneDX/SPDX), Chainguard Images, Socket.dev, JFrog Xray, Snyk Open Source, GUAC, in-toto, GitHub Actions OIDC Deep Dive https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.en As of May 2026, software supply chain security is no longer optional. The 2020 SolarWinds Orion breach, the 2021 Log4Shell crisis, the March 2024 XZ Utils backdoor (the Jia Tan affair), and the steady drumbeat of npm and PyPI typosquats made that clear. The US followed Executive Order 14028 (2021) with the CISA Secure Software Development Attestation Form (2024); the EU adopted the Cyber Resilience Act in October 2024. In the same window Sigstore (cosign, fulcio, rekor), SLSA v1.1, in-toto, GUAC, CycloneDX 1.6, and SPDX 3.0 became standard candidates, while Chainguard Images, Wolfi OS, Socket.dev, JFrog Xray, Snyk Open Source, Endor Labs, and Phylum became commercial mainstays. This piece walks through 60 plus tools, standards, and incidents in one breath. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) software-supply-chainsigstoreslsasbomcyclonedxspdxchainguardsocket-devjfrog-xraysnykguacin-totoenglish https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.ja ソフトウェアサプライチェーンセキュリティ 2026 完全ガイド - Sigstore · SLSA · SBOM (CycloneDX/SPDX) · Chainguard Images · Socket.dev · JFrog Xray · Snyk Open Source · GUAC · in-toto · GitHub Actions OIDC 詳細解説 https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive.ja 2026年5月時点で、ソフトウェアサプライチェーンセキュリティはもはやオプションではない。2020年のSolarWinds Orion事件、2021年のLog4Shell、2024年3月のXZ Utilsバックドア（Jia Tan事件）、そして毎週繰り返されるnpm・PyPIタイポスクワッティングがそれを証明した。米国は大統領令14028（2021年）に続き、CISA Secure Software Development Attestation Form（2024年）を義務化、EUはCyber Resilience Actを2024年10月に採択した。その間にSigstore（cosign・fulcio・rekor）、SLSA v1.1、in-toto、GUAC、CycloneDX 1.6、SPDX 3.0が標準候補として確立され、Chainguard Images・Wolfi OS・Socket.dev・JFrog Xray・Snyk Open Source・Endor Labs・Phylumが商用ツールとして定着した。本稿では60以上のツール・標準・事件を一気に解説する。 Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) software-supply-chainsigstoreslsasbomcyclonedxspdxchainguardsocket-devjfrog-xraysnykguacin-toto日本語 https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive 소프트웨어 공급망 보안 2026 완벽 가이드 - Sigstore · SLSA · SBOM (CycloneDX/SPDX) · Chainguard Images · Socket.dev · JFrog Xray · Snyk Open Source · GUAC · in-toto · GitHub Actions OIDC 심층 분석 https://www.youngju.dev/blog/culture/2026-05-16-software-supply-chain-security-2026-sigstore-slsa-sbom-cyclonedx-spdx-chainguard-socket-jfrog-xray-snyk-deep-dive 2026년 5월 기준 소프트웨어 공급망 보안은 더 이상 옵션이 아니다. 2020년 SolarWinds Orion 사건, 2021년 Log4Shell, 2024년 3월 XZ Utils 백도어(Jia Tan 사건), 그리고 매주 반복되는 npm·PyPI 타이포스쿼팅이 그 사실을 증명했다. 미국은 행정명령 14028(2021)에 이어 CISA Secure Software Development Attestation Form(2024)을 의무화했고, EU는 Cyber Resilience Act를 2024년 10월에 채택했다. 그 사이에 Sigstore(cosign · fulcio · rekor), SLSA v1.1, in-toto, GUAC, CycloneDX 1.6, SPDX 3.0이 표준 후보로 자리 잡았고, Chainguard Images · Wolfi OS · Socket.dev · JFrog Xray · Snyk Open Source · Endor Labs · Phylum이 상용 도구로 자리 잡았다. 이 글은 60여 개 도구·표준·사건을 한 호흡으로 정리한다. Sat, 16 May 2026 00:00:00 GMT fjvbn2003@gmail.com (Youngju Kim) software-supply-chainsigstoreslsasbomcyclonedxspdxchainguardsocket-devjfrog-xraysnykguacin-toto