Fintech: SBOM and signed-image rollout pre-SOC 2
Illustrative composite · no named client · metrics typical of patterns we work in
Every software release signed and inventoried, with verifiable build history. First SOC 2 Type 2 audit closed with zero findings.
Problem
A fintech six months out from its first SOC 2 Type 2 audit had no software-supply-chain story. Container images were unsigned, no SBOMs were generated, and image scanning was advisory-only in CI.
The internal security team had a list of 30+ controls to demonstrate; the engineering team had no automation against any of them.
Approach
Wired Sigstore image signing into the GitHub Actions release workflow. Every image gets a keyless signature; the deployment cluster's admission controller rejects unsigned images.
Generated Syft SBOMs per release, published as release artifacts and ingested into the security team's vulnerability-tracking pipeline.
Configured Trivy as a blocking CI gate against a curated allowlist for known-and-accepted CVEs. Documented the allowlist process.
Outcome
Tech
"Going into the audit, supply chain was the part we were most worried about. It came out the cleanest piece of the engagement, with no findings on the controls in scope and no remediation work on signing or SBOM coverage."
Related services
The engagement categories this case primarily covered.
Tell us what you're building.
Send a project brief and we'll reply within one business day, or book a 30-minute intro call directly.
Thanks, got it.
We'll reply within one business day at the email you provided. A real person reads every message; no auto-responders.