Supply chain attacks are increasing. This guide covers protecting your software supply chain from source to deployment.
Attack Vectors
Compromised Dependencies
1
2
3
| # Check for known vulnerabilities
npm audit
pip-audit
|
Malicious Commits
1
2
3
4
| # Required code review
branch_protection:
required_reviews: 2
require_code_owner_review: true
|
Build System Compromise
1
2
3
4
5
6
| # Isolated build environments
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
|
SBOM (Software Bill of Materials)
Generate SBOM
1
2
3
4
5
| # Syft
syft packages dir:. -o spdx-json > sbom.json
# CycloneDX
cyclonedx-cli generate -o sbom.xml
|
Verify Dependencies
1
2
3
4
5
6
| {
"dependencies": {
"express": "4.18.2", // Pinned version
"lodash": "^4.17.21" // ❌ Avoid ^ or ~
}
}
|
Signing and Verification
Sigstore
1
2
3
4
5
| # Sign artifact
cosign sign-blob --key cosign.key artifact.tar.gz
# Verify
cosign verify-blob --key cosign.pub --signature artifact.sig artifact.tar.gz
|
In-toto
1
2
3
4
5
6
7
8
| # Define supply chain layout
layout = Layout({
"steps": [{
"name": "build",
"expected_materials": [["MATCH", "src/*", "WITH", "PRODUCTS", "FROM", "checkout"]],
"expected_products": [["CREATE", "bin/app"]]
}]
})
|
Dependency Management
Lock Files
Always commit:
- package-lock.json (npm)
- Pipfile.lock (Python)
- go.sum (Go)
- Cargo.lock (Rust)
Automated Updates
1
2
3
4
5
6
7
8
| # Dependabot
version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
|
Build Provenance
SLSA Framework
1
2
3
4
5
| # SLSA Level 3
- Source integrity verified
- Build service isolated
- Provenance generated
- All dependencies pinned
|
Best Practices
- Pin all dependencies
- Verify signatures
- Generate SBOMs
- Scan for vulnerabilities
- Use trusted registries
- Implement code signing
- Audit third-party code
- Monitor for updates
Conclusion
Supply chain security requires vigilance at every stage. Implement these practices to protect against increasingly sophisticated attacks.