From Passive Data to Active Defense: Supply Chain Policy-as-Code with Conforma

The modern software supply chain is no longer suffering from a lack of data. Between SBOMs, SLSA provenance, and vulnerability scans, DevOps teams are drowning in attestations. However, a critical gap remains: the ability to aggregate this diverse evidence and enforce consistent, automated security decisions. Simply having an SBOM does not secure your pipeline; verifying its content against a trusted policy does.

In this talk, we introduce Conforma, an open-source tool designed to address the enforcement gap in supply chain security. We will move beyond static documentation and demonstrate how to implement an automated, blocking Policy Gate that enforces integrity before deployment.

Attendees will learn how to transition from passive observation to active enforcement using Policy-as-Code. We will demonstrate how Conforma acts as a central engine that ingests various security artifacts, including SBOMs, in-toto attestations, and vulnerability reports, to evaluate them against strict policies.

To provide a detailed look at the tool's capabilities, we will showcase two concrete policy checks: SBOM Content Hygiene and SLSA Provenance.

Attendees will leave with a clear understanding that supply chain data is only as valuable as the policies that enforce it. They will learn how Conforma automates this verification, turning a passive collection of attestations into an active, enforceable defense system.

Conforma: https://conforma.dev/ SLSA Provenance: https://slsa.dev/spec/v1.1/provenance In-toto: https://in-toto.io/