[Verse 1]
Repository midnight, shadows creep inside
Maintainer's credentials stolen, nowhere left to hide
Typosquatters lurking with their poisonous deceit
Dependency confusion makes your pipeline incomplete
[Chorus]
Code we trust along the road
Signatures and hashes hold the load
SLSA levels climbing high
Attestations never lie
Verify before you go
Pin the hash and watch it grow
Provenance will tell the tale
When attackers try to fail
[Verse 2]
Registry corruption spreading through the wire
CI systems bleeding secrets, setting builds on fire
Signing keys get pilfered in the digital heist
Every artifact suspicious, nothing can be diced
[Chorus]
Code we trust along the road
Signatures and hashes hold the load
SLSA levels climbing high
Attestations never lie
Verify before you go
Pin the hash and watch it grow
Provenance will tell the tale
When attackers try to fail
[Bridge]
Sigstore cosign checking every single trace
Build environment captured, nothing out of place
Level one to four ascending, maturity unfolds
Cryptographic evidence worth more than liquid gold
[Verse 3]
Hash pinning locks the doorway, checksum standing guard
Attestation documents make tampering quite hard
Build provenance remembers every tool and date
Supply chain transparency seals the package fate
[Final Chorus]
Code we trust along the road
Signatures and hashes hold the load
SLSA levels climbing high
Attestations never lie
Verify before you go
Pin the hash and watch it grow
Provenance will tell the tale
When attackers always fail
[Outro]
Trust but verify the chain
Security's our lasting gain