Supply chain attacks target your build pipeline, not just your app code. This guide walks through implementing SLSA Level 2–3 for container images using Cosign, sigstore keyless signing, and GitHub Actions provenance generation — with real workflow examples and Kubernetes policy enforcement.