Building a self-hosted supply chain security pipeline

I built ipxis to answer a question I kept coming back to: how much of a secure software delivery pipeline can I own end to end without depending on opaque hosted services? On a Debian homelab I run Podman workloads for Gitea, Woodpecker CI, Zot, Authentik, OpenBao, and Ollama. That setup lets me generate SBOMs with Syft, scan artifacts with Grype, sign images with Cosign, and store the signed results in a registry I control.

The most useful part of the system is not any single tool. It is the chain of evidence between them. A pull request triggers a build in Woodpecker, the build produces an SBOM, the SBOM is scanned and archived, and only then is the image signed and pushed to Zot. Secrets come from OpenBao, identity is enforced through Authentik, and every step stays inside infrastructure I can audit. That matters when you care about software provenance rather than just passing a CI job.

What surprised me is how approachable the stack becomes when you design for small, composable steps. Instead of treating supply chain security as an enterprise-only concern, I treat it like good engineering hygiene: know what you built, know what is inside it, know who approved it, and make verification the default path instead of an optional extra.