Software Supply Chain Security: Trust Nothing You Did Not Build (and Verify What You Did)

SolarWinds. Log4Shell. Codecov. The last five years have demonstrated that the software supply chain is the most underprotected attack surface in modern engineering. Securing it requires a shift from trusting artifacts by default to verifying provenance at every stage.

Attack Vector Taxonomy

Supply Chain Attack Vectors
├── Source Code
│   ├── Compromised developer account
│   ├── Malicious commit / pull request
│   ├── Dependency confusion (internal vs public package names)
│   └── Typosquatting (similar package names)
├── Build System
│   ├── Compromised CI/CD pipeline
│   ├── Poisoned build cache
│   ├── Malicious build plugin / action
│   └── Secrets exfiltration from build environment
├── Dependencies
│   ├── Malicious upstream package (event-stream, ua-parser-js)
│   ├── Unmaintained dependency with known CVEs
│   ├── Transitive dependency risk
│   └── Package registry compromise
├── Artifacts
│   ├── Tampered container image
│   ├── Unsigned binary
│   ├── Registry compromise
│   └── Man-in-the-middle during pull
└── Deployment
    ├── Compromised IaC / Helm chart
    ├── Unauthorized deployment (missing approval gate)
    ├── Drift from declared state
    └── Insecure runtime configuration

SLSA Framework Levels

Level	Requirements	Integrity Guarantee	Example
SLSA 0	No guarantees	None	Manual builds on developer laptop
SLSA 1	Build process documented	Provenance exists	CI/CD generates build provenance metadata
SLSA 2	Hosted build, signed provenance	Tampering after build detectable	GitHub Actions with signed attestations
SLSA 3	Hardened build platform, non-falsifiable provenance	Tampering during build detectable	Isolated, ephemeral build environments
SLSA 4 (proposed)	Hermetic + reproducible builds, two-person review	Maximum assurance	Fully reproducible, multi-party verified

SBOM Format Comparison

Aspect	SPDX	CycloneDX	SWID
Maintained by	Linux Foundation	OWASP	ISO/IEC
Primary focus	License compliance + security	Security + operational risk	Software identification
Format	JSON, RDF, YAML, tag-value	JSON, XML, Protobuf	XML
VEX support	Yes (SPDX 2.3+)	Yes (native)	No
Dependency graph	Yes	Yes	Limited
Adoption	US government mandate (EO 14028)	Strong in AppSec tooling	Legacy, declining
Tooling	syft, Trivy, scancode	syft, Trivy, cdxgen	Limited
Best for	Regulatory compliance	DevSecOps automation	Enterprise asset management

Tool Comparison

Tool	Category	Key Capability	License
Sigstore / Cosign	Signing & verification	Keyless signing of containers and artifacts via OIDC	Open source
Trivy	Vulnerability scanning	Container, filesystem, IaC, SBOM scanning	Open source
Snyk	Vulnerability scanning	Developer-friendly SCA with fix PRs	Commercial
Grype	Vulnerability scanning	Fast SBOM-based vulnerability matching	Open source
syft	SBOM generation	SPDX and CycloneDX output from images/repos	Open source
in-toto	Build attestation	Cryptographic supply chain layout verification	Open source
GUAC	Graph analysis	Aggregates SBOMs, SLSA, VEX into queryable graph	Open source
Dependabot	Dependency updates	Automated dependency update PRs	Free (GitHub)
Renovate	Dependency updates	Highly configurable, multi-platform	Open source
Kyverno	Policy enforcement	Verify image signatures and attestations at admission	Open source

Secure Pipeline Architecture

┌──────────┐     ┌──────────────┐     ┌──────────────┐
│Developer │────>│ Code Review  │────>│  CI Build    │
│  Commit  │     │  (2+ review) │     │ (ephemeral,  │
│ (signed) │     │  branch prot.│     │  isolated)   │
└──────────┘     └──────────────┘     └──────┬───────┘
                                             │
                    ┌────────────────────────┐│
                    │  SBOM + Provenance     ││
                    │  Generation (syft,     │◄┘
                    │  in-toto, SLSA)        │
                    └───────────┬────────────┘
                                │
                    ┌───────────▼────────────┐
                    │  Signing (Cosign /     │
                    │  Sigstore keyless)     │
                    └───────────┬────────────┘
                                │
                    ┌───────────▼────────────┐
                    │  Artifact Registry     │
                    │  (signed + attested)   │
                    └───────────┬────────────┘
                                │
                    ┌───────────▼────────────┐
                    │  Admission Control     │
                    │  (Kyverno / OPA)       │
                    │  - Verify signature    │
                    │  - Check SBOM          │
                    │  - Enforce SLSA level  │
                    └───────────┬────────────┘
                                │
                    ┌───────────▼────────────┐
                    │  Production Runtime    │
                    │  (continuous scanning) │
                    └────────────────────────┘

Strategic Recommendations

Start with SBOMs. Generating an SBOM for every build is low-effort, high-value. Use syft or Trivy in your CI pipeline. This gives you a baseline inventory before you even start vulnerability scanning.

Sign everything. Cosign with keyless signing (backed by Sigstore's Fulcio and Rekor) eliminates key management overhead. Combine with Kyverno admission policies to enforce "no unsigned images in production."

Pin dependencies aggressively. Lock files are necessary but not sufficient. Pin GitHub Actions to commit SHAs, not tags. Pin base images to digests, not tags.

Adopt SLSA incrementally. Most organizations can reach SLSA 2 within weeks by using GitHub Actions with artifact attestations. SLSA 3 requires more investment in build isolation but dramatically reduces risk.

Resources

:::