SLSA-aligned build provenance
Generates SLSA-compatible attestations as build artifacts. Programs can demonstrate SLSA Level 3 or Level 4 maturity to auditors and downstream consumers without retrofitting later.
Checkmarx • Application security
Checkmarx Software Supply Chain Security
Checkmarx Software Supply Chain Security implements SLSA-aligned build provenance, Sigstore-compatible code signing, attestation, and SBOM lifecycle management so the AppSec program can prove what was built, by whom, and from what sources, end to end.
Through Merito, Checkmarx Software Supply Chain Security is wired up as SLSA-aligned attestation in the build, Sigstore-compatible signing, SBOM lifecycle management, and downstream verification policy so the supply chain produces audit-ready evidence rather than retrofit documentation.
- Best for
- AppSec leaders implementing SLSA-aligned supply-chain governance, DevSecOps architects designing signed-build pipelines, Compliance leaders requiring SLSA attestation for federal or regulated programs
- Hosting
- SaaS
- Time to value
- First pipeline producing SLSA attestations in two to four weeks. Signing and downstream verification live in four to eight weeks. Enterprise rollout across the build fleet typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
Checkmarx Software Supply Chain Security in the enterprise stack
Checkmarx Software Supply Chain Security is the build-and-release governance product inside the Checkmarx One Supply Chain pillar. It implements SLSA (Supply-chain Levels for Software Artifacts) build provenance attestation, Sigstore-compatible code signing, SBOM lifecycle management, and supply-chain attack-surface visualization. Where Malicious Package Protection blocks dependencies before the build and SCA scans dependencies after the build, Software Supply Chain Security covers the build itself: what was built, by what pipeline, from what sources, with what reviewers, signed by what key.
SLSA alignment is the load-bearing capability for regulated programs. SLSA defines four levels of build provenance maturity, with SLSA Level 3 typically required for federal and high-assurance commercial programs. Checkmarx generates SLSA-compatible attestations as build artifacts, so a downstream consumer can verify that this binary came from this commit, built by this pipeline, with these source dependencies. EO 14028, NIST SSDF, and supply-chain mandates increasingly require this evidence; programs without it have to retrofit later.
Sigstore-compatible signing closes the loop. Build artifacts get signed with short-lived keys backed by an OIDC identity, signatures get logged to a public transparency log (Rekor) or a private equivalent, and consumers verify signatures before deployment. The pattern eliminates long-lived signing keys that get stolen and forgotten and replaces them with verifiable, ephemeral signing tied to the actual identity that built the artifact.
What breaks Software Supply Chain Security adoption is partial implementation. Programs that turn on SLSA attestation but skip signing, or generate SBOMs but never verify them downstream, or sign artifacts but do not enforce signature verification at deployment end up with documentation rather than enforcement. Merito's engagement implements the full chain: build provenance generation, signing, transparency log, SBOM lifecycle, and downstream verification. Without that, the program ships SLSA Level 1 documentation and calls it Level 3.
Ideal use cases
- SLSA Level 3 attestation for federal and high-assurance commercial programs
- Sigstore-compatible code signing with short-lived keys and transparency logging
- SBOM lifecycle management from build through deployment
- Supply-chain attack-surface visualization across upstream sources, build pipelines, and downstream consumers
- EO 14028, NIST SSDF, and ISO 27001 supply-chain compliance
What it is best at
Where Checkmarx Software Supply Chain Security earns its seat
Sigstore-compatible signing
Short-lived signing keys backed by OIDC identity, signatures logged to a transparency log, and downstream verification. Replaces long-lived signing keys that get stolen and forgotten.
SBOM lifecycle, not point-in-time SBOM
SBOMs generated at build, attached to release artifacts, verified at deployment, and updated as dependencies change. Programs that generate SBOMs and never verify them downstream get documentation, not enforcement.
Supply-chain attack-surface visualization
Maps upstream sources, build pipelines, signing infrastructure, and downstream consumers in one view. Programs see the full chain rather than treating each layer as a separate audit.
Cross-product correlation with the Checkmarx supply-chain stack
Pairs with Malicious Package Protection, Repository Health, and SCA inside Checkmarx One for end-to-end supply-chain governance from sourcing through deployment.
Core capabilities
Checkmarx Software Supply Chain Security capabilities, grouped by outcome
SLSA build provenance
Producing audit-ready evidence as part of the build, not retrofitted afterward.
SLSA attestation generation
Generates in-toto SLSA attestations as build artifacts. Captures source commit, builder identity, build instructions, and source dependencies.
Build-pipeline integration
Hooks into Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Tekton so attestation generation is part of the build, not a separate step.
SLSA Level mapping
Maps current pipeline practices to SLSA Levels and surfaces the gaps to higher levels.
Signing and verification
Replacing long-lived keys with verifiable, ephemeral signing.
Sigstore-compatible signing
Short-lived signing keys backed by OIDC identity, with transparency logging to Rekor or a private equivalent.
Verification at deployment
Downstream verification policy enforced before deployment. Unsigned or invalidly-signed artifacts get rejected.
Artifact signing across registries
Container images, OCI artifacts, language-specific packages, and binary releases all get signed in the same flow.
SBOM lifecycle and visualization
SBOMs as evidence, not as a one-time export.
CycloneDX and SPDX SBOM generation
SBOMs generated at build in industry-standard formats, attached to release artifacts.
SBOM verification at deployment
Deployment-time verification that the SBOM matches the artifact and meets policy.
Supply-chain attack-surface map
Visualizes upstream sources, build pipelines, signing infrastructure, and downstream consumers in one view.
Cross-product correlation
Links to SCA, Malicious Package Protection, and Repository Health findings inside Checkmarx One.
Where it fits in the stack
How Checkmarx Software Supply Chain Security connects to the rest of your landscape
Checkmarx One platform (native)
Native- Checkmarx SCASCA findings inform the supply-chain attack-surface map.
- Checkmarx Malicious Package ProtectionFetch-time blocking events and signing flow into the same supply-chain governance picture.
- Checkmarx Repository HealthSourcing-time scoring contributes to the upstream-source view.
- Checkmarx Triage and RemediationSupply-chain events cluster with related SCA and SAST findings.
Build and signing ecosystems (certified)
Certified- Jenkins, GitHub Actions, GitLab CI, Azure DevOps, TektonNative integration for SLSA attestation generation and signing.
- Sigstore (Cosign, Fulcio, Rekor)Sigstore-compatible signing with public or private transparency logging.
- Container registries (Docker Hub, ECR, GCR, ACR, Harbor)Image signing and verification at registry boundaries.
- Artifactory, Nexus RepositoryArtifact-level SBOM and signature attachment for release artifacts.
Custom integrations
Custom- Internal CI/CD platformsSLSA and signing integration for non-standard build orchestrators.
- Internal transparency logsPrivate Rekor or equivalent transparency log infrastructure for regulated programs that cannot use public Rekor.
- GRC and audit reportingSBOM, attestation, and signing data flowed into internal GRC and audit-evidence systems.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First pipeline producing SLSA attestations in two to four weeks. Signing and downstream verification live in four to eight weeks. Enterprise rollout across the build fleet typically runs three to nine months.
- Prerequisites
- Inventory of build pipelines and artifact-producing systems
- OIDC identity provider for build identity (GitHub Actions OIDC, Azure DevOps OIDC, internal IdP)
- Transparency log decision (Rekor public vs. private)
- SBOM consumer landscape (deployment, ticketing, GRC)
- Named DevSecOps and platform engineering owners
- What Merito usually handles
- Software Supply Chain Security runs as Checkmarx One SaaS. Merito handles SLSA attestation wiring, signing infrastructure setup, transparency log configuration, SBOM lifecycle design, and downstream verification policy.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- Checkmarx Software Supply Chain Security is part of the Checkmarx One Enterprise bundle and licensed by build pipeline count and bundle. Pricing depends on artifact volume, signing frequency, and bundle. Pricing flows through Merito; the supply-chain governance program is scoped under a separate engagement.
- Editions and modules
Checkmarx One Enterprise (includes Software Supply Chain Security)
Enterprise bundle adding Software Supply Chain Security, AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, and premium SLAs.
Best for: Enterprise programs with regulated supply-chain mandates and federal-aligned compliance posture.
Software Supply Chain Security add-on (Advanced bundle customers)
Software Supply Chain Security added to an existing Checkmarx One Advanced subscription without the full Enterprise bundle.
Best for: Programs piloting SLSA-aligned governance without a full Enterprise upgrade.
- Common expansion areas
- Add Malicious Package Protection for fetch-time blocking complement
- Add Repository Health for sourcing-time OSS scoring
- Add AI Supply Chain Security for AI/ML SBOM and provenance
- Layer Triage and Remediation to cluster supply-chain events with the rest of AppSec findings
Merito services
How Merito helps you win with Checkmarx Software Supply Chain Security
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Software Supply Chain Security Implementation
SLSA attestation wiring, signing infrastructure setup, transparency log configuration, SBOM lifecycle design, and verification policy.
Explore service02MAPS Assessment
Supply-chain governance scoping for Software Supply Chain Security alongside Anchore, JFrog Xray, and in-house SLSA programs.
Explore service03DevOps Consulting
Signed-build pipelines and verification policy embedded in CI/CD across the build fleet.
Explore service04CRAFT Enablement
Platform engineering enablement around SLSA, Sigstore, and SBOM discipline.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Software Supply Chain Security.
Explore service06Managed Services
Long-term run support including signing-infrastructure operation, SLSA attestation maintenance, and SBOM lifecycle evolution.
Explore service07Training and Enablement
Role-based training for DevSecOps architects, platform engineers, and compliance leads.
Explore service08Staff Augmentation
Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx Software Supply Chain Security licensing
License the platform. Enforce verification at deploy. Same engagement.
Software Supply Chain Security pricing arrives with SLSA attestation wiring, Sigstore signing setup, SBOM lifecycle design, and downstream verification policy that turn supply-chain governance into enforcement rather than documentation.
Merito point of view
SLSA documentation without enforcement is SLSA Level 1 dressed up as Level 3.
Merito has audited supply-chain governance programs that generated SBOMs nobody verified, signed artifacts nobody checked at deployment, and produced SLSA attestations that no downstream consumer ever read. The documentation existed; the enforcement did not. Software Supply Chain Security is useful only when the full chain runs end to end: attestation at build, signing with short-lived keys, transparency logging, SBOM attachment to artifacts, verification at deployment, and rejection of artifacts that fail the policy.
Merito recommends Software Supply Chain Security specifically when the program is subject to EO 14028, NIST SSDF, federal contracting requirements, or sector-specific supply-chain mandates. For programs without those drivers, the value is real but the urgency is lower; SLSA Level 1 or Level 2 is often a defensible baseline. Merito surfaces the actual compliance landscape during scoping rather than upselling SLSA Level 3 as a default.
Sigstore-compatible signing replaces long-lived signing keys, which are the single most common supply-chain incident shape. Programs that maintain RSA signing keys in HSMs and rotate them every two years are running on borrowed time; programs that use ephemeral keys backed by OIDC identity have already moved past that risk. The migration is not optional for high-assurance programs.
What buyers usually underestimate
- Generating SLSA attestations without enforcing downstream verification, producing documentation rather than governance.
- Signing artifacts without enforcing signature verification at deployment, leaving the chain unenforced.
- Using long-lived signing keys instead of Sigstore-compatible ephemeral keys.
- Generating SBOMs at build but never verifying them at deployment.
- Treating Software Supply Chain Security as a one-pipeline pilot rather than a build-fleet rollout.
Related from Merito
Continue exploring Checkmarx Software Supply Chain Security on Merito
Related solutions
Related services
Related products
- Checkmarx Malicious Package ProtectionFetch-time blocking complement for the supply-chain governance picture.
- Checkmarx Repository HealthSourcing-time OSS project scoring.
- Checkmarx SCADetection-time SCA companion for the dependency tree.
- Checkmarx AI Supply Chain SecurityAI/ML SBOM and provenance for AI workloads.
- Checkmarx (vendor portfolio)Full Checkmarx One platform across Code, Supply Chain, Cloud, and Agentic AI.
Frequently Asked Questions
Checkmarx Software Supply Chain Security FAQs
Consultation request
Talk to Merito about Checkmarx Software Supply Chain Security
Share your build-pipeline landscape, signing posture, and SLSA target. A Merito Checkmarx specialist follows up within one business day.
SLSA-aligned
Build provenance as evidence
SLSA-compatible attestations generated as part of the build. Audit-ready for EO 14028 and NIST SSDF.
Sigstore signing
Ephemeral keys, transparency logs
Short-lived signing keys backed by OIDC identity. Long-lived signing keys are the most common supply-chain incident shape.
Next step
Enforce verification, not just attestation.
A Merito Software Supply Chain Security engagement implements the full SLSA chain end to end. Programs that generate attestations without downstream verification are documenting compliance, not delivering it.