Software Supply Chain Security Guide
Software Supply Chain Security Guide A defender’s reference for software supply chain risks — threat model across the SDLC, package-registry attack patterns, CI/CD hardening, artifact provenance and signing, SBOMs, dependency scanning, case studies, and a checklist. Compiled from 29 research articles, advisories, and incident writeups. Table of Contents Fundamentals Threat Model Across the SDLC Package Registry Risks Dependency Confusion, Typosquatting, Slopsquatting Maintainer Account Compromise CI/CD Pipeline Hardening Container Image Provenance & Verification SLSA Framework Sigstore, Cosign, in-toto SBOMs (SPDX, CycloneDX) Dependency Scanning Tooling Developer Host Hardening Admission Control & Runtime Verification Case Studies — Defensive Lessons Detection Signals & IOCs Defender Checklist Reference Configurations 1. Fundamentals A software supply chain attack compromises a dependency, tool, build system, or distribution channel that the target trusts, rather than attacking the target directly. The malicious payload rides in on a routine npm install, pip install, docker pull, or CI build — bypassing perimeter defenses because the artifact appears legitimate. ...