Defending Against Software Supply Chain Attacks

The Expanding Attack Surface

Modern applications depend on hundreds of third-party packages. Each dependency is a potential entry point for attackers. The npm ecosystem alone serves 2+ billion package downloads daily.

Attack Vectors

Dependency Confusion — Publishing malicious packages to public registries that match internal package names

Typosquatting — Creating packages with names similar to popular ones

Account Compromise — Taking over maintainer accounts to inject malicious code

Build System Attacks — Compromising CI/CD pipelines to inject code during build

Defense in Depth

# .github/workflows/supply-chain-security.yml
name: Supply Chain Security
on: [push, pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          fail-on-severity: moderate
      - name: SBOM Generation
        uses: anchore/sbom-action@v0
      - name: Vulnerability Scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          severity: 'HIGH,CRITICAL'

Practical Steps

Lock files — Always commit lock files and verify integrity hashes

Minimal dependencies — Audit and reduce your dependency tree

SBOM (Software Bill of Materials) — Generate and maintain for every release

Signed commits and artifacts — Verify provenance of every component

Supply chain security isn't optional anymore — it's a core engineering discipline.