The SolarWinds compromise in 2020, the Log4Shell vulnerability in 2021, and the xz-utils backdoor (discovered in 2024) are the high-profile examples of a structural problem: the software supply chain is an attack surface.

What supply chain attacks target

A supply chain attack compromises software or infrastructure that is used to build or distribute other software. The attacker does not need to breach the target organisation directly: they compromise a dependency that the target trusts. SolarWinds was compromised at the build system level. The malicious update was distributed as a legitimate signed software update.

SBOM as the foundation

A Software Bill of Materials (SBOM) is a structured list of all components in a piece of software: direct dependencies, transitive dependencies, the versions of each, and their licences. SBOM is the inventory that enables supply chain security: you cannot identify vulnerable components in your software if you do not know what components are in it. The US executive order on cybersecurity (May 2021) required SBOMs for software sold to the federal government, driving adoption.

Dependency scanning in CI/CD

Integrating dependency vulnerability scanning into CI/CD pipelines is the first line of supply chain defence. GitHub Dependabot, Snyk, and OSV Scanner all scan dependencies against vulnerability databases and open pull requests for updates. The challenge is the volume: a typical Node.js project has thousands of transitive dependencies. Filtering noise from genuine risk requires either automated vulnerability severity thresholds or manual triage by a security team.

Signing and provenance

Software signing with tools like Sigstore (sigstore.dev) provides cryptographic proof that a build output was produced by a specific build system at a specific time from specific source code. For container images, cosign provides signing and verification. For packages, npm and PyPI added provenance support in 2023. The attestation chain, from source code to built artifact, needs to be cryptographically verifiable for the supply chain to be trustworthy.