Modern software isn't written; it's assembled. With 90% of code coming from open source, how do you know what you are actually deploying? This talk takes a journey through the "Trusted Software Supply Chain." We will move beyond simple scanning and explore how we use a Software Bill of Material (SBOM) and Cryptography Bill of Material (CBOM), and how to cryptographically sign our code and pipelines. Using tools like Tekton and Sigstore, attendees will learn to establish a robust "chain of custody" - ensuring that the code running in production is exactly what your developers committed, with no tamper-room in between.