Supply Chain Security
SLSA Framework Levels
| Level | Requirements | Protection |
|---|---|---|
| SLSA 1 | Build process is scripted/automated; provenance generated | Accidental errors |
| SLSA 2 | Version-controlled build, hosted build service, signed provenance | Basic tampering |
| SLSA 3 | Hardened build platform, auditable build process | Insider threats |
| SLSA 4 | Two-party review, hermetic builds, reproducible builds | Sophisticated attacks |
Dependency Auditing Commands
# npm
npm audit
npm audit fix
npm audit --audit-level=high
# Python
pip-audit
safety check -r requirements.txt
# Go
govulncheck ./...
# Ruby
bundle audit
# GitHub Dependabot (in .github/dependabot.yml)
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
SBOM Generation
# CycloneDX (recommended format)
# npm
npm install -g @cyclonedx/cyclonedx-npm
cyclonedx-npm --output-format json --output-file sbom.json
# Python
pip install cyclonedx-bom
cyclonedx-bom -r -o sbom.xml
# Go
cyclonedx-gomod app -output bom.json
# Syft (multi-language)
syft packages dir:. -o cyclonedx-json=sbom.json
# SPDX format
syft packages dir:. -o spdx-json=sbom.spdx.json
Supply Chain Security Checklist
- Pin dependency versions (lock files) — don't use ranges in production
- Verify checksums/hashes of downloaded packages
- Use private package registries to cache and vet packages
- Sign all build artifacts with Sigstore/Cosign
- Implement SCA (Software Composition Analysis) in CI pipeline
- Generate SBOM for all releases
- Review new dependencies before adding (evaluate maintenance, popularity, license)
- Monitor for new CVEs in used packages (Dependabot, Snyk)
- Use hermetic builds (no network access during build)
- Protect CI/CD pipeline credentials and secrets
Container Image Signing (Cosign)
# Install cosign
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Generate key pair
cosign generate-key-pair
# Sign image
cosign sign --key cosign.key ghcr.io/myorg/myapp:v1.0.0
# Verify image
cosign verify --key cosign.pub ghcr.io/myorg/myapp:v1.0.0
# Keyless signing (Sigstore/Fulcio)
cosign sign ghcr.io/myorg/myapp:v1.0.0