Most companies have CI/CD pipelines. We had one too — tests ran, containers got built, code shipped to production. But having a working pipeline and having a defensible supply chain story are two different things.
When a CISO asks "How do I know your container images haven't been tampered with?", you can't just say "trust us." You need cryptographic proof. When an investor asks "What's your supply chain maturity?", saying "we have GitHub Actions" isn't enough. You need SLSA Level 3 compliance with attestations.
This is the story of how we turned "we have CI/CD" into a versioned go-to-market assetcalled Supply Chain v1.0.
Why Invest in Commercial-Grade Supply Chain?
The Before State
- ❌Working pipeline, but no external documentation for CISOs
- ❌Container images built and pushed, but no signatures or provenance
- ❌No SBOMs (Software Bill of Materials) for transparency
- ❌Releases just happened — no traceable version history
- ❌Security questionnaires took hours to answer from scratch
The After State (Supply Chain v1.0)
- Cryptographically signed containers (Cosign with GitHub OIDC)
- Complete SBOMs for every service in SPDX format
- SLSA Level 3 compliance with full provenance trails
- Public GitHub releases with artifacts anyone can verify
- Complete documentation suite for CISOs, investors, and engineers
The Design: Fast Track vs Heavy Freight
We needed speed for development AND security for production. The solution: one workflow, two paths.
Fast Track
For development iteration
- • Branch push triggers tests
- • Fast deployment to dev/staging
- • No signatures (pre-production only)
- • Optimized for developer velocity
Heavy Freight
For production releases
- • Platform tag triggers full build
- • Cosign signatures on all images
- • SBOMs generated (SPDX format)
- • GitHub release with artifacts
- • Optimized for auditability
Unified Workflow Architecture
┌─────────────────────────────────────────────┐ │ .github/workflows/platform-release.yml │ │ │ │ Trigger: branch push OR platform tag │ │ ↓ │ │ ┌──────────────────┐ │ │ │ Run Tests │ (Always) │ │ └────────┬─────────┘ │ │ ↓ │ │ ┌──────────────────┐ │ │ │ Build & Sign? │ (Only on tags) │ │ │ • Cosign │ │ │ │ • SBOM │ │ │ │ • Release │ │ │ └────────┬─────────┘ │ │ ↓ │ │ ┌──────────────────┐ │ │ │ Deploy │ (Environment-aware) │ │ └──────────────────┘ │ └─────────────────────────────────────────────┘
Key Insight: One workflow means zero configuration drift. The same job definitions, the same dependency graph, the same audit trail — whether you're shipping to dev or production.
The Proof: Platform v3.1.1 Live Fire
We validated the entire Heavy Freight path with platform/v3.1.1 — a live fire test that created real GitHub releases with real signatures.
What Happened
- Tests passed (187 tests across gateway, api, web)
- Build completed (containers built for gateway:v3.1.1, api:v3.1.1)
- Signatures attached (Cosign keyless with GitHub OIDC)
- SBOMs generated (gateway.spdx.json, api.spdx.json)
- GitHub release created (with 3 downloadable artifacts)
Total Execution Time
10 minutes
From tag push to signed release on GitHub
You Can Verify It Right Now
Don't take our word for it. Run these commands yourself to verify Platform v3.1.1:
Install Cosign (one-time)
brew install cosignVerify Gateway signature
cosign verify ghcr.io/railguardai/railguard-gateway/gateway:v3.1.1 \ --certificate-identity-regexp='^https://github.com/RailguardAI/railguard-gateway' \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com'
Download and inspect SBOM
gh release download v3.1.1 -R RailguardAI/railguard-gateway
cat gateway.spdx.json | jq '.packages[] | {name, version}'Why This Matters: These aren't simulated results. Platform v3.1.1 is a real release you can independently verify. The signatures prove it came from our GitHub Actions, not a compromised laptop. The SBOMs show every dependency. The workflow logs are public and auditable.
Documentation as Product
Supply Chain v1.0 isn't just pipelines and signatures. It's also a complete documentation suite — because infrastructure without communication is invisible value.
For CISOs & Security Reviewers
Trust Center Release Process — External documentation mapping our release pipeline to compliance frameworks (SLSA, SOC 2, ISO 27001, FedRAMP). Includes 63-point security control inventory.
For Engineering Teams
Release Pattern Guide — Operational how-to for creating v3.2.x, v3.3.x releases. Three-step process: create tag, monitor workflow, verify artifacts.
For Investors & Partners
Platform v3.1.1 Release Dossier — Complete verification instructions with live examples. Includes workflow run details, artifact hashes, Cosign verification commands.
For Sales & Marketing
Ready-to-Paste Assets — Website sections, email templates, social posts, and presentation slides. Zero editing required — just copy and use.
Total Documentation: 10 files, 2,668+ lines. From executive one-pagers to step-by-step engineering guides. All in the repo, version-controlled alongside the code.
Business Impact
Competitive Moat
Supply Chain v1.0 isn't just about shipping faster or more securely. It's about defensible differentiation:
- • Most competitors: "We have CI/CD" (table stakes)
- • Railguard: "Here's our signed v3.1.1 release you can verify right now" (proof)
- • Most competitors: "We take security seriously" (words)
- • Railguard: "Download our SBOM and scan it yourself" (evidence)
What's Next
Supply Chain v1.0 is live, but this is just the foundation. Here's what we're building next:
Policy Attestations
Automated policy checks as part of the release process (e.g., "no critical CVEs", "all tests passed", "approved by security team")
Air-Gapped Deployment Support
Enable customers to verify signatures in fully disconnected environments (offline bundle with verification tools)
Continuous Verification Dashboard
Real-time dashboard showing signature verification status for all deployed environments
Lessons Learned
1. Documentation is Product
We wrote 2,668 lines of documentation because infrastructure without communication is invisible value. The Trust Center doc has already been requested by three CISOs. The ready-to-paste assets saved 2 hours on our website update.
2. Productize Infrastructure
Saying "we have CI/CD" is a feature. Releasing "Supply Chain v1.0" is a product. Versioning forces completeness (you can't ship v1.0 without docs). The supply-chain/v1.0 tag will be our canonical anchor forever.
3. Break the Seal Early
We activated our first asset (changelog entry) the same day we created it. Immediate usage validates your documentation instantly. If it's not good enough to use today, it won't magically get better sitting in the repo.
Want to See It in Action?
Everything in this post is real and verifiable right now. Run the verification commands, download the SBOMs, read the documentation — it's all public.