Supply Chain Security — SBOM and Beyond¶

Software supply chain attacks increased 742% between 2019 and 2025. The numbers are not slowing down. SolarWinds demonstrated that a single compromised build system could grant adversaries access to 18,000 organizations simultaneously. Log4Shell proved that a vulnerability in one transitive dependency could expose virtually every enterprise on the planet. CodeCov showed that CI/CD secrets are one tampered script away from exfiltration at scale.

Traditional perimeter security was designed for a world where you built what you ran. That world no longer exists. The average enterprise application contains 257 open-source dependencies, each with its own dependency tree, maintainer community, and attack surface. Your firewall cannot inspect the integrity of a build artifact. Your EDR cannot verify that the npm package you installed today is the same one you audited last quarter.

This post breaks down the modern software supply chain, explains how SBOMs and the SLSA framework provide verifiable trust at every stage, and walks through a synthetic incident response where Meridian Healthcare used both to contain a compromised dependency in under 48 hours.

1. Understanding the Software Supply Chain¶

The software supply chain encompasses every component, tool, process, and human that contributes to a software artifact from source code to production deployment. Each stage introduces an attack surface.

The Modern Supply Chain — Stage by Stage¶

┌─────────────────────────────────────────────────────────────────┐
│                    SOFTWARE SUPPLY CHAIN                        │
│                                                                 │
│  ┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐    │
│  │  Source   │──▶│  Build   │──▶│ Package  │──▶│  Deploy  │    │
│  │   Code   │   │  System  │   │ Registry │   │  Target  │    │
│  └──────────┘   └──────────┘   └──────────┘   └──────────┘    │
│       │              │              │              │            │
│  ┌────▼────┐   ┌────▼────┐   ┌────▼────┐   ┌────▼────┐       │
│  │ Open    │   │ CI/CD   │   │ npm,    │   │ k8s,    │       │
│  │ Source  │   │ Runners │   │ PyPI,   │   │ VMs,    │       │
│  │ Deps    │   │ Secrets │   │ Docker  │   │ Lambda  │       │
│  │ IDEs    │   │ Plugins │   │ Hub     │   │ CDN     │       │
│  └─────────┘   └─────────┘   └─────────┘   └─────────┘       │
│                                                                 │
│  ATTACK SURFACE AT EVERY STAGE                                  │
└─────────────────────────────────────────────────────────────────┘

Attack Vectors by Stage¶

Stage	Attack Vector	Real-World Precedent
Source Code	Compromised developer account, malicious commit, typosquatting IDE extension	PHP self-hosted Git server compromise (2021)
Dependencies	Dependency confusion, typosquatting, account takeover of maintainer, malicious update	ua-parser-js npm hijack (2021), event-stream (2018)
Build System	Compromised CI/CD pipeline, tampered build scripts, injected build steps	SolarWinds Orion (2020), CodeCov bash uploader (2021)
Package Registry	Registry compromise, namespace hijacking, deleted-then-republished packages	npm registry incidents, PyPI malware campaigns
Deployment	Image tampering, unsigned artifacts, compromised deployment credentials	Various container supply chain attacks

The Trust Problem

Every dependency you consume is code written by someone you have never met, reviewed by a process you cannot verify, built on infrastructure you do not control, and delivered through a registry that may not validate integrity. Supply chain security is fundamentally a trust verification problem.

For foundational application security concepts, see Chapter 30: Application Security & SDLC.

2. SBOM Deep Dive — Your Software Ingredient List¶

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all components, libraries, and dependencies in a software artifact. Think of it as a nutritional label for software — it tells you exactly what is inside.

Why SBOMs Matter Now¶

Executive Order 14028 (May 2021) mandated that software vendors selling to the U.S. federal government must provide SBOMs. The NTIA (National Telecommunications and Information Administration) defined the minimum elements every SBOM must contain:

NTIA Minimum Element	Description
Supplier Name	Entity that created or packaged the component
Component Name	Name of the software component
Version	Version identifier for the component
Unique Identifier	Unique identifier (e.g., CPE, PURL, SWID)
Dependency Relationship	Upstream/downstream component relationships
Author of SBOM Data	Entity that generated the SBOM
Timestamp	Date/time the SBOM was generated

SPDX vs. CycloneDX — Choosing Your Format¶

The two dominant SBOM standards serve different audiences:

SPDX (Software Package Data Exchange)

ISO/IEC 5962:2021 international standard
Originated from the Linux Foundation
Strong focus on license compliance
Formats: JSON, YAML, RDF, tag-value, spreadsheet
Best for: organizations with significant license compliance requirements

CycloneDX

OWASP-maintained standard
Purpose-built for security use cases
Native support for vulnerabilities, services, formulation (build process), and machine learning model transparency
Formats: JSON, XML, Protocol Buffers
Best for: security teams prioritizing vulnerability management and risk analysis

Practical Recommendation

If your primary goal is vulnerability management and incident response, CycloneDX is the stronger choice. Its vulnerability and exploitability fields (VEX — Vulnerability Exploitability eXchange) allow you to communicate not just what is present, but whether it is actually exploitable in your context.

Generating SBOMs — Tool Comparison¶

Tool	Formats	Languages	Strengths
Syft (Anchore)	SPDX, CycloneDX	15+ ecosystems	Fast, container-native, CI/CD friendly
Trivy (Aqua)	SPDX, CycloneDX	10+ ecosystems	Combined SBOM + vulnerability scanner
OWASP Dependency-Track	CycloneDX (ingests SPDX)	Via plugins	Full lifecycle SBOM management platform
Microsoft SBOM Tool	SPDX	.NET, npm, pip, Maven	Integrates with Azure DevOps
cdxgen	CycloneDX	20+ ecosystems	Deep transitive dependency resolution

Sample SBOM Generation¶

Generate a CycloneDX SBOM for a Node.js project using Syft:

# Install Syft
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s

# Generate SBOM from project directory
syft dir:/app/meridian-portal -o cyclonedx-json > sbom-portal-v2.4.1.json

# Generate SBOM from container image
syft registry.example.com/meridian/portal:2.4.1 -o cyclonedx-json > sbom-container.json

# Validate the SBOM
cyclonedx validate --input-file sbom-portal-v2.4.1.json --input-version 1.5

Sample CycloneDX SBOM Snippet (Synthetic)¶

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "version": 1,
  "metadata": {
    "timestamp": "2026-10-14T08:30:00Z",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "0.105.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "meridian-patient-portal",
      "version": "2.4.1",
      "supplier": {
        "name": "Meridian Healthcare IT"
      }
    }
  },
  "components": [
    {
      "type": "library",
      "name": "express",
      "version": "4.19.2",
      "purl": "pkg:npm/express@4.19.2",
      "licenses": [{ "license": { "id": "MIT" } }],
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
        }
      ]
    },
    {
      "type": "library",
      "name": "lodash",
      "version": "4.17.21",
      "purl": "pkg:npm/lodash@4.17.21",
      "licenses": [{ "license": { "id": "MIT" } }]
    },
    {
      "type": "library",
      "name": "meridian-auth-helper",
      "version": "1.3.7",
      "purl": "pkg:npm/%40meridian/auth-helper@1.3.7",
      "supplier": {
        "name": "Meridian Healthcare IT"
      }
    }
  ],
  "dependencies": [
    {
      "ref": "meridian-patient-portal@2.4.1",
      "dependsOn": [
        "express@4.19.2",
        "lodash@4.17.21",
        "meridian-auth-helper@1.3.7"
      ]
    }
  ]
}

3. SLSA Framework — Verifiable Build Integrity¶

SLSA (Supply-chain Levels for Software Artifacts, pronounced "salsa") is a security framework created by Google that provides a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It focuses on the build and distribution stages of the supply chain.

SLSA Levels Explained¶

Level	Name	Requirements	What It Prevents
SLSA 1	Build Provenance	Automated build process; provenance document generated describing how the artifact was built	Prevents unknown build origins; establishes baseline traceability
SLSA 2	Hosted Build	Build runs on a hosted service; provenance is signed by the build service	Prevents local build tampering; verifiable provenance
SLSA 3	Hardened Build	Build service is hardened; provenance is non-falsifiable; isolated, ephemeral build environments	Prevents build service compromise; tamper-evident provenance
SLSA 4	Maximal Guarantees	Two-person review; hermetic builds; reproducible builds; parameterless builds	Prevents insider threats and sophisticated supply chain attacks

Build Provenance — The Core Concept¶

Build provenance is a signed attestation that describes:

What was built (artifact hash)
How it was built (build recipe, parameters)
Where it was built (build platform identity)
Who triggered the build (source reference)
When it was built (timestamp)

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "meridian-portal",
      "digest": {
        "sha256": "f4e5d6c7b8a9f4e5d6c7b8a9f4e5d6c7b8a9f4e5d6c7b8a9f4e5d6c7b8a9f4e5"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": {
    "buildDefinition": {
      "buildType": "https://github.com/actions/runner",
      "externalParameters": {
        "source": "git+https://git.example.com/meridian/portal@refs/tags/v2.4.1",
        "builderImage": "registry.example.com/builders/node18:latest"
      }
    },
    "runDetails": {
      "builder": {
        "id": "https://ci.example.com/meridian/portal/builds/4821"
      },
      "metadata": {
        "invocationId": "build-4821-a1b2c3d4",
        "startedOn": "2026-10-14T08:15:00Z",
        "finishedOn": "2026-10-14T08:28:47Z"
      }
    }
  }
}

Implementing SLSA Incrementally¶

Level 1 — Scripted Build + Provenance (Week 1-2)

# .github/workflows/build.yml (simplified)
name: Build with Provenance
on:
  push:
    tags: ['v*']

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - name: Build artifact
        run: npm ci && npm run build
      - name: Generate SBOM
        run: syft dir:. -o cyclonedx-json > sbom.json
      - name: Attest provenance
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: 'dist/**'

Level 2 — Hosted Build Service (Week 3-4)

Move all builds to a hosted CI/CD platform (GitHub Actions, GitLab CI, Cloud Build)
Ensure provenance is signed by the build service, not by developers
Verify provenance signatures before deployment

Level 3 — Hardened Build Environment (Month 2-3)

Ephemeral, isolated build environments (fresh VM/container per build)
No shared state between builds
Non-falsifiable provenance (signed by hardware-backed keys)
Network isolation during build (hermetic builds)

Practical Reality

Most organizations should target SLSA Level 2 as a near-term goal and Level 3 as a 12-month objective. Level 4 requires significant investment and is primarily relevant for high-assurance software (operating systems, security tools, firmware).

4. Case Study: Meridian Healthcare — 48-Hour Supply Chain Incident¶

Meridian Healthcare is a synthetic regional health system operating 12 hospitals and 340 outpatient clinics across the southeastern United States. Their IT team manages 47 internally developed applications serving 28,000 employees and 1.2 million patients.

Synthetic Scenario

This case study uses entirely fictional organizations, IP addresses (RFC 5737/RFC 1918), and domain names (*.example.com). No real patient data, credentials, or infrastructure is referenced.

Background¶

Meridian's security team had spent 14 months building a supply chain security program:

SBOM generation: CycloneDX SBOMs produced for every build via Syft
Dependency tracking: OWASP Dependency-Track ingesting SBOMs from 47 applications
SLSA Level 2: All production builds run on hardened GitHub Actions runners with signed provenance
Package allow-listing: Internal Artifactory proxy with approved package list for npm, PyPI, and Maven

T+0:00 — The Alert¶

On October 3, 2026 at 14:23 UTC, Meridian's Dependency-Track instance flagged an anomaly. The npm package @meridian-utils/pdf-renderer — an internal package published to their private registry — had a new version (2.1.4) that introduced a dependency on node-native-metrics@3.0.1, a package that did not exist in Meridian's approved list.

ALERT: Unapproved dependency introduced
  Application: meridian-patient-portal v2.4.1-rc3
  Component: @meridian-utils/pdf-renderer@2.1.4
  New dependency: node-native-metrics@3.0.1
  Risk: Package not in approved registry allow-list
  Source: Dependency-Track policy violation
  Timestamp: 2026-10-03T14:23:17Z

T+0:15 — Initial Triage¶

Security analyst Priya Sharma queried Dependency-Track's API to determine blast radius using the SBOM data:

# Query Dependency-Track for all projects consuming the flagged component
curl -s -H "X-Api-Key: REDACTED" \
  "https://deptrack.internal.example.com/api/v1/dependency/component/a1b2c3d4" \
  | jq '.[] | {project: .project.name, version: .project.version}'

Result: Three applications referenced @meridian-utils/pdf-renderer:

Application	Version	Environment	Status
meridian-patient-portal	2.4.1-rc3	Staging	Deployed to staging 2 hours ago
meridian-billing-api	3.1.0	Production	Using pdf-renderer@2.1.3 (safe)
meridian-discharge-summary	1.8.2	Production	Using pdf-renderer@2.0.9 (safe)

Critical finding: only the patient portal in staging had pulled the compromised version. Production systems were on older, clean versions.

T+0:45 — SBOM Diff Analysis¶

Sharma compared the SBOM from the clean build (pdf-renderer@2.1.3) against the suspicious build (pdf-renderer@2.1.4):

# Generate diff between clean and suspicious SBOMs
cyclonedx diff \
  --from sbom-pdf-renderer-2.1.3.json \
  --to sbom-pdf-renderer-2.1.4.json \
  --output-format json

The diff revealed:

Added: node-native-metrics@3.0.1 (unknown package, no matching PURL in any public registry)
Added: node-native-metrics contained a postinstall script executing a base64-encoded payload
Modified: pdf-renderer main entry point imported node-native-metrics and called initTelemetry() on module load

T+1:30 — Build Provenance Verification¶

The team verified SLSA provenance for the suspicious package version:

# Verify provenance for the suspicious version
slsa-verifier verify-artifact \
  --source-uri git+https://git.example.com/meridian-utils/pdf-renderer \
  --source-tag v2.1.4 \
  --provenance-path pdf-renderer-2.1.4.provenance.json \
  pdf-renderer-2.1.4.tgz

Result: Provenance verification failed. The package had been published directly to the internal registry using a developer's personal access token, bypassing the CI/CD pipeline entirely. The SLSA provenance was missing — a direct violation of Meridian's policy requiring all packages to be built through the hosted build service.

T+2:00 — Containment¶

The incident commander authorized immediate containment:

Revoked the compromised developer token (PAT-7829-a1b2c3d4)
Removed @meridian-utils/pdf-renderer@2.1.4 from the internal registry
Rolled back staging patient portal to v2.4.1-rc2 (previous clean build)
Blocked the IP 198.51.100.47 identified in the postinstall callback
Isolated the staging environment network segment pending forensic analysis

T+4:00 — Root Cause Analysis¶

Investigation revealed that developer Marcus Chen's personal access token had been phished via a targeted email impersonating the internal Artifactory admin. The token had publish scope to the internal npm registry. The attacker used this token to publish a backdoored version of the pdf-renderer package from IP 198.51.100.47.

The postinstall script in node-native-metrics@3.0.1 was designed to:

Exfiltrate environment variables (including database connection strings) to https://telemetry-cdn.example.com/collect
Establish a reverse shell to 203.0.113.89:8443
Download a second-stage payload for credential harvesting

T+24:00 — Verification and Recovery¶

Forensic analysis of the staging environment confirmed no lateral movement
Database credentials exposed in staging environment variables were rotated
All 47 application SBOMs were re-scanned — no other compromised packages found
Developer token policies updated: publish tokens now require MFA re-authentication and IP allow-listing

T+48:00 — Lessons Learned¶

Control	Impact
SBOM + Dependency-Track	Automated detection within minutes of the compromised package being consumed — without SBOM tracking, discovery would have relied on behavioral detection (hours to days)
SLSA provenance	Provenance verification failure immediately confirmed the package was not built through the approved pipeline — reducing investigation time by an estimated 6 hours
Package allow-listing	The unapproved dependency (`node-native-metrics`) triggered an immediate policy violation alert
Staging-first deployment	Production systems were never exposed — the compromised version only reached staging

Key Takeaway

Meridian's 14-month investment in supply chain security controls converted what could have been a production healthcare data breach into a contained staging incident resolved within 48 hours. The SBOM was the detection mechanism. SLSA provenance was the verification mechanism. Together, they cut mean-time-to-detect from days to minutes and mean-time-to-contain from weeks to hours.

For incident response methodology and lifecycle, see Chapter 9: Incident Response Lifecycle.

5. Detection & Monitoring — Queries for Supply Chain Threats¶

Detecting supply chain attacks requires monitoring build systems, package registries, and deployment pipelines — not just endpoints and networks. The following queries target common supply chain indicators.

KQL — Detecting Unusual Package Installations¶

// Detect npm/pip/gem install of packages not in approved list
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("npm install", "pip install", "gem install")
| parse ProcessCommandLine with * "install " PackageName
| where PackageName !in (
    externaldata(ApprovedPackage: string) [@"https://siem.example.com/lists/approved-packages.csv"]
    | project ApprovedPackage
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, PackageName
| sort by Timestamp desc

// Detect postinstall script execution in CI/CD runners
DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceName startswith "runner-"
| where InitiatingProcessFileName in ("node", "npm")
| where ProcessCommandLine has_any ("curl", "wget", "powershell", "base64", "eval")
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

// Detect dependency confusion — internal package names resolving to public registries
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceName startswith "runner-"
| where RemoteUrl has_any ("registry.npmjs.org", "pypi.org", "rubygems.org")
| where RemoteUrl has_any ("@meridian", "meridian-", "internal-")
| project Timestamp, DeviceName, RemoteUrl, InitiatingProcessCommandLine

SPL — Build Anomaly Detection¶

// Detect builds triggered outside normal CI/CD service accounts
index=cicd sourcetype=github_audit_log action="workflows.completed"
| where actor NOT IN ("github-actions[bot]", "dependabot[bot]", "svc-cicd")
| where workflow_name IN ("build", "release", "deploy", "publish")
| stats count by actor, repo, workflow_name, _time
| where count > 0
| sort -_time

// Detect direct package publish bypassing CI/CD
index=registry sourcetype=artifactory_audit action="deploy"
| where user!="svc-cicd-publisher"
| where repo_path IN ("npm-internal", "pypi-internal", "maven-internal")
| table _time, user, repo_path, artifact_name, artifact_version, src_ip
| sort -_time

// Detect unusual network callbacks from build environments
index=network sourcetype=firewall
| where src_zone="ci-cd-runners"
| where dest_port NOT IN (443, 80, 22)
| where dest NOT IN (lookup approved_build_destinations dest OUTPUT approved | where approved="true")
| stats count values(dest_port) as ports by src, dest
| where count > 3
| sort -count

Sigma Rule — Suspicious Package Registry Activity¶

title: Direct Package Publish Bypassing CI/CD Pipeline
id: f8e7d6c5-b4a3-9281-7654-fedcba098765
status: experimental
description: Detects package publication to internal registries from non-CI/CD accounts
author: Nexus SecOps
date: 2026/10/14
logsource:
  product: artifactory
  service: audit
detection:
  selection:
    action: deploy
    repo_path|contains:
      - 'npm-internal'
      - 'pypi-internal'
      - 'maven-internal'
  filter:
    user|contains:
      - 'svc-cicd'
      - 'github-actions'
      - 'gitlab-ci'
  condition: selection and not filter
falsepositives:
  - Emergency hotfix published manually with change approval
  - Package migration activities
level: high
tags:
  - attack.initial_access
  - attack.t1195.002

title: Postinstall Script Executing Suspicious Commands in CI
id: a9b8c7d6-e5f4-3210-fedc-ba0987654321
status: experimental
description: Detects package postinstall hooks executing potentially malicious commands in CI/CD build environments
author: Nexus SecOps
date: 2026/10/14
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/node'
      - '/npm'
      - '/npx'
    ParentCommandLine|contains: 'postinstall'
  selection_child:
    CommandLine|contains:
      - 'curl '
      - 'wget '
      - 'base64'
      - '/dev/tcp/'
      - 'eval('
      - 'nc -e'
      - 'python -c'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate native module compilation (node-gyp)
  - Package telemetry collection
level: high
tags:
  - attack.execution
  - attack.t1059
  - attack.defense_evasion
  - attack.t1027

For detection engineering methodology at scale, see Chapter 5: Detection Engineering at Scale.

6. Building Your Supply Chain Security Program¶

Supply chain security is not a single tool or process — it is a cross-functional program spanning development, security, operations, and procurement. The following maturity model provides a phased approach.

Maturity Model: Crawl / Walk / Run¶

Crawl — Foundation (Months 1-3)¶

Activity	Deliverable
Inventory all software projects and their dependency managers	Asset inventory spreadsheet with package ecosystems identified
Generate SBOMs for top 10 critical applications	CycloneDX SBOMs stored alongside build artifacts
Deploy OWASP Dependency-Track	Central SBOM ingestion and vulnerability monitoring
Enable dependabot / renovate on all repositories	Automated dependency update PRs with changelog visibility
Establish an approved package list for critical ecosystems	Allow-list policy in internal registry proxy
Document a supply chain incident response procedure	Playbook integrated with existing IR process

Walk — Operationalize (Months 4-8)¶

Activity	Deliverable
SBOM generation in every CI/CD pipeline	Automated SBOM creation and upload to Dependency-Track on every build
SLSA Level 2 for all production builds	Signed provenance attestations from hosted build services
Internal package registry proxy (Artifactory/Nexus)	All external packages proxied; no direct internet pulls from build environments
Vulnerability SLA enforcement	Critical: 24h, High: 7d, Medium: 30d, Low: 90d — measured and reported
Developer training on supply chain risks	Quarterly secure coding module covering dependency hygiene
Vendor software assessment questionnaire	SBOM and SLSA requirements included in vendor onboarding

Run — Advanced (Months 9-18)¶

Activity	Deliverable
SLSA Level 3 for critical applications	Hardened, ephemeral build environments with non-falsifiable provenance
VEX (Vulnerability Exploitability eXchange) integration	Contextual vulnerability assessment — not just "present" but "exploitable"
Runtime SBOM validation	Deployed artifacts verified against build-time SBOMs; drift detection
Reproducible builds for critical packages	Independent verification that source code produces identical artifacts
Automated license compliance	SBOM-driven license analysis blocking unapproved licenses pre-merge
Supply chain threat modeling	Annual threat modeling exercise covering all supply chain stages

Tool Recommendations¶

Category	Recommended Tools	Notes
SBOM Generation	Syft, Trivy, cdxgen	Choose based on ecosystem coverage needs
SBOM Management	OWASP Dependency-Track	Open source, CycloneDX-native, policy engine
SCA (Software Composition Analysis)	Snyk, Grype, OSV-Scanner	Vulnerability scanning against SBOM components
Build Provenance	SLSA GitHub Generator, Sigstore Cosign	Signed attestations and keyless signing
Registry Proxy	JFrog Artifactory, Sonatype Nexus	Package allow-listing, caching, security scanning
Dependency Updates	Dependabot, Renovate	Automated PRs with changelog and compatibility scoring
Container Signing	Cosign + Fulcio + Rekor	Keyless signing with transparency log
Policy Enforcement	OPA/Gatekeeper, Kyverno	Admission control verifying SBOM and provenance at deploy time

Governance Framework¶

A supply chain security program requires governance to sustain momentum beyond initial implementation:

Policy: Define acceptable risk for dependencies (license types, maintainer activity, known vulnerabilities, SLSA level requirements)
Roles: Assign a supply chain security owner — typically within AppSec or DevSecOps
Metrics: Track and report quarterly:
- Percentage of applications with current SBOMs
- Mean time to remediate dependency vulnerabilities
- SLSA level achieved per application
- Number of unapproved dependencies blocked
Review Cadence: Monthly review of Dependency-Track findings; quarterly program maturity assessment
Vendor Requirements: Include SBOM delivery and SLSA attestation in procurement contracts

Vendor Assessment Checklist¶

When evaluating third-party software, require answers to these questions:

[ ] Does the vendor provide SBOMs in SPDX or CycloneDX format with every release?
[ ] Does the vendor follow SLSA guidelines? At what level?
[ ] Does the vendor have a vulnerability disclosure and patching SLA?
[ ] Does the vendor use signed build provenance for their artifacts?
[ ] Does the vendor maintain an incident response plan for supply chain compromise?
[ ] Does the vendor scan dependencies for known vulnerabilities before release?
[ ] Can the vendor provide evidence of build environment hardening?

For cloud-specific supply chain considerations, see Chapter 20: Cloud Attack & Defense Playbook.

7. Key Takeaways¶

Principle	Action
You cannot secure what you cannot see	Generate SBOMs for every application and ingest them into a management platform like Dependency-Track
Trust must be verified, not assumed	Implement SLSA build provenance to cryptographically verify that artifacts were built through approved pipelines
Detection requires supply chain telemetry	Monitor package registries, build systems, and CI/CD pipelines — not just endpoints and networks
Maturity is a journey	Start with SBOM generation and SCA scanning (Crawl), operationalize with SLSA Level 2 and registry proxies (Walk), then advance to reproducible builds and runtime verification (Run)
Supply chain security is a team sport	Developers, security, operations, and procurement all have roles — governance and metrics sustain the program
Incident response changes with SBOMs	When the next Log4Shell drops, an SBOM lets you answer "are we affected?" in minutes instead of days

Conclusion¶

The software supply chain is the largest unmanaged attack surface in most organizations. Every dependency is a trust decision. Every build system is a target. Every package registry is a distribution mechanism — for defenders and attackers alike.

SBOMs give you visibility. SLSA gives you verifiable integrity. Together, they transform supply chain security from a hope-based model ("we trust our dependencies") to an evidence-based model ("we can prove what was built, how, and from what").

The organizations that invested in these controls before the next major supply chain attack will measure their response time in minutes. The rest will measure it in weeks — if they detect it at all.

Start generating SBOMs this week. Target SLSA Level 2 this quarter. Build the program that turns the next supply chain crisis into a contained incident, not a breach headline.