Containerized software and artifact management processes and technology have become soft spots in your software supply chain security — and attackers know it. From compromised CI/CD workflows to malicious open source packages, the threat surface has expanded — and attackers are increasingly targeting containers, registries, and build pipelines. Yet, many organizations still rely on default configurations, public registries, and unsigned packages — leaving critical blind spots in their security posture.

In this live session, Michael Donovan (VP of Product, Docker), Ralph McTeggart (Principal Engineer, Cloudsmith), and Jack Gibson (Senior Software Engineer, Cloudsmith) will walk through how leading teams are securing their software supply chains — with a sharp focus on artifact management. You’ll get a front-line view of how threats are evolving, how cybersecurity is reshaping security priorities, and what real-world strategies teams are using to lock down the full artifact lifecycle.

Topics will include

1. How attackers are targeting the software supply chain — and where your blind spots are; from tampered images to compromised CI/CD workflows, we’ll unpack real-world examples of how artifacts are being exploited — and why containers, public registries, and unsigned packages are common weak points
2. What a secure artifact lifecycle looks like in practice; learn the technical building blocks of a secure pipeline: signing, provenance via SLSA, tamper-proof storage, and enforcing policies without adding friction to dev workflows
3. How SBOMs and attestations create real visibility and trust. We’ll show how to integrate SBOMs and signed metadata into your pipeline for traceability — without slowing teams down
4. How to move toward zero-trust for artifacts - explore how forward-thinking teams are adopting cryptographic verification, trusted sources, and immutable audit logs to lock down the full software delivery process