Supply Chain Security

Supply chain security protects your software from attacks that compromise dependencies, build systems, or distribution mechanisms. From SolarWinds to Log4Shell, supply chain attacks have become one of the most severe security threats facing modern software development.

This guide teaches you how to secure your entire software supply chain using Software Bill of Materials (SBOM), artifact signing with Sigstore, and SLSA framework compliance.

Why Supply Chain Security Matters

Modern applications depend on hundreds of third-party components:

• Dependencies at scale — Average Node.js app has 1,000+ transitive dependencies
• Blind trust — Most teams don't verify what they're actually running
• Attack surface — Each dependency is a potential entry point
• Cascading impact — One compromised package affects thousands of applications

Real-world supply chain attacks:

• SolarWinds (2020) — Compromised build system injected malware into software updates, affecting 18,000+ organizations
• Codecov (2021) — Bash uploader script compromised, exposing CI/CD secrets for hundreds of companies
• Log4Shell (2021) — Critical RCE in widely-used logging library affected millions of applications
• event-stream npm (2018) — Malicious maintainer added Bitcoin-stealing code to popular package
• ua-parser-js npm (2021) — Hijacked npm account published malicious versions

What You'll Learn

This guide covers essential supply chain security practices:

1. SBOM Fundamentals — Generate and manage Software Bill of Materials
2. Artifact Signing — Sign and verify artifacts with Sigstore/Cosign
3. SLSA Framework — Implement Supply chain Levels for Software Artifacts
4. CI/CD Integration — Automate supply chain security in your pipeline

Quick Comparison

Tool/Framework	Purpose	When to Use
SBOM	Inventory dependencies	Always (compliance requirement)
Sigstore/Cosign	Sign artifacts	Container images, binaries
SLSA	Build provenance	Entire supply chain
Syft	Generate SBOMs	Open source, simple
Grype	Vulnerability scanning	Pair with Syft
in-toto	Supply chain attestation	Advanced provenance

The Three Pillars

Supply Chain Security
├── SBOM (What's Inside?)
│   └── Track all components and dependencies
│
├── Signing (Can We Trust It?)
│   └── Verify authenticity of artifacts
│
└── SLSA (How Was It Built?)
    └── Prove build integrity and provenance

Key Concepts

Software Bill of Materials (SBOM)

A machine-readable inventory of your software components:

{
  \"bomFormat\": \"CycloneDX\",
  \"components\": [
    {
      \"name\": \"express\",
      \"version\": \"4.18.2\",
      \"purl\": \"pkg:npm/[email protected]\",
      \"licenses\": [{ \"license\": { \"id\": \"MIT\" }}]
    }
  ]
}

Use cases:

• Vulnerability tracking ("Do we use Log4j?")
• License compliance
• Incident response
• Regulatory requirements (FDA, NTIA)

Artifact Signing

Cryptographically prove artifact authenticity:

# Sign container image
cosign sign ghcr.io/myorg/myapp:v1.0.0

# Verify before deployment
cosign verify ghcr.io/myorg/myapp:v1.0.0 \\
  [email protected]

Prevents:

• Malicious image injection
• Man-in-the-middle attacks
• Compromised registries

SLSA Framework

Supply chain Levels for Software Artifacts — a security framework with 4 levels:

Level	Requirements	Protection
SLSA 1	Provenance exists	Basic build documentation
SLSA 2	Signed provenance	Tamper-evident builds
SLSA 3	Hardened builds	Build platform integrity
SLSA 4	Two-party review	Hermetic, reproducible builds

Next Steps

Start with the fundamentals:

1. SBOM Fundamentals — Learn to generate and use Software Bills of Materials
2. Artifact Signing with Sigstore — Sign and verify artifacts
3. SLSA Framework — Implement build provenance
4. CI/CD Integration — Automate everything

---

Remember: Supply chain security is not optional in 2025. Start with SBOM generation, add signing, then work toward SLSA compliance.