Supply Chain Security
Practices for ensuring the integrity and security of all dependencies, tools, and processes comprising the software development pipeline.
seed#supply-chain#security#sbom#dependencies#slsa#sigstore
What it is
Software supply chain security protects against attacks compromising dependencies, build tools, or distribution processes. Attacks like SolarWinds and Log4Shell demonstrated its importance.
Attack vectors
| Vector | Real-world example | Mitigation |
|---|---|---|
| Malicious dependencies | Typosquatting on npm/PyPI | Lockfiles, dependency review |
| Build system compromise | SolarWinds (2020) | Hermetic builds, SLSA Level 3+ |
| CI/CD pipeline injection | Codecov breach (2021) | Least privilege, rotated secrets |
| Compromised images | Base images with vulnerabilities | Scanning with Trivy, signed images |
Mitigation practices
- SBOM: Software Bill of Materials (dependency inventory)
- Dependency scanning: Snyk, Dependabot, Trivy
- Artifact signing: cosign, Sigstore
- SLSA: Supply-chain Levels for Software Artifacts (maturity framework)
- Lockfiles: exact dependency versions
SLSA Levels
| Level | Requirements |
|---|---|
| 1 | Build process documentation |
| 2 | Hosted build service, retained logs |
| 3 | Isolated build, verifiable provenance |
| 4 | Hermetic build, two-party review |
Why it matters
Software supply chain attacks exploit trust in third-party dependencies. A single compromised package can affect thousands of applications. Verifying signatures, auditing dependencies, and using SBOMs are essential defensive practices.