security · advanced
Supply-Chain Security and SBOMs
Quick answer
Supply-chain security protects how code, dependencies, and artifacts are built and delivered. An SBOM (Software Bill of Materials) lists components and versions so teams can detect exposure when a library is compromised.
Why this matters
- Attacks increasingly target builds and popular packages.
- You cannot patch what you cannot inventory.
- Customers and regulators ask about provenance.
Learning objectives
- Map supply-chain trust points. 2. Generate and store SBOMs. 3. Pin and review dependencies. 4. Harden CI signing. 5. Respond to upstream CVEs quickly.
Explain like I am 5
Know every Lego brick in your castle so if one brand recalls a brick, you can find it.
Mental model
flowchart LR
Dev --> CI
Deps --> CI
CI --> Artifact
Artifact --> SBOM
SBOM --> Response[CVE response]
Core concepts
Trust boundaries
Developers, CI, registries, runtime pull paths.Pinning & lockfiles
Reproducible builds; review sudden graph changes.SBOM formats
CycloneDX/SPDX inventories attached to releases.Signing
Sign artifacts; verify before deploy.Least install
Fewer dependencies → smaller attack surface.Worked example
Critical CVE in logging lib: SBOM query finds 12 services; automated PRs bump versions; hotfix pipeline prioritizes internet-facing apps.
Trade-offs
| Max dependency freedom | Strict allowlists |
|---|---|
| Speed | Friction |
Failure modes
| Mode | Mitigation |
|---|---|
| No inventory | SBOM in release |
| Mutable tags | Digest pins |
| Compromised CI | Isolated runners + secrets hygiene |
Interview mode
Skeleton: "Inventory with SBOMs, pin dependencies, sign artifacts, respond fast to upstream CVEs."
Human review
Educational overview of supply-chain hygiene. Production controls (signing policy, registry trust, SBOM tooling) must match your org’s security standards and customer contractual requirements.
Knowledge check
Listing software components/versions for visibility and incident response
Replacing unit tests entirely
Styling UI components
Measuring CPU temperature
By Shubham Jain