CASE 40 · LINDEN · 2026
Container images you can prove the lineage of.
A devtools company shipping container images to enterprise customers had to answer "what’s in this image" for every customer security questionnaire. The answers were assembled by hand each time. We built a supply-chain pipeline that ships SBOMs and signatures with every image.
DevTools
SECURITY
2026
RESULTS
What changed, by the numbers.
SBOM COVERAGE
100%
TIME-TO-RESPOND
< 1h
SLSA LEVEL
L3
CUSTOMER QUESTIONNAIRES
−87%
HOW IT WENT
The trigger was a customer asking, in writing, whether a specific vulnerable library was in any version of the product. Answering required a senior engineer to grep through Dockerfiles, sub-Dockerfiles, and a handful of vendor-provided base images. It took most of a day.
We added Syft to the build pipeline to emit an SBOM per image, Grype to scan it, cosign (with KMS-backed signing keys) to sign both image and SBOM. Build provenance attestations followed the SLSA L3 spec. ECR stored the attached artifacts; an S3 archive (Object Lock) retained an immutable history.
The next customer questionnaire was answered in under an hour by querying the SBOM corpus. The internal CVE response runbook now starts with `grype db update && grype attest:image` rather than `grep`. The team reclaimed roughly four engineering days per month.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.