This demo walks through a full software supply chain flow:
- Start with a vulnerable image (Python 3.12.11 with outdated OpenSSL)
- Detect vulnerabilities
- Detect a Chainguard SLA-driven update
- Upgrade to Python 3.12.12
- Confirm the OpenSSL vulnerability was fixed within 1 Day and 15 Hours
- Only continue if vulnerabilities were actually removed
- Sign the image
- Attach a vulnerability attestation
- Deploy to Kubernetes
- Kyverno enforces policy at admission
Demonstrates zero-trust image promotion and policy-driven enforcement
